| <html><body> |
| <style> |
| |
| body, h1, h2, h3, div, span, p, pre, a { |
| margin: 0; |
| padding: 0; |
| border: 0; |
| font-weight: inherit; |
| font-style: inherit; |
| font-size: 100%; |
| font-family: inherit; |
| vertical-align: baseline; |
| } |
| |
| body { |
| font-size: 13px; |
| padding: 1em; |
| } |
| |
| h1 { |
| font-size: 26px; |
| margin-bottom: 1em; |
| } |
| |
| h2 { |
| font-size: 24px; |
| margin-bottom: 1em; |
| } |
| |
| h3 { |
| font-size: 20px; |
| margin-bottom: 1em; |
| margin-top: 1em; |
| } |
| |
| pre, code { |
| line-height: 1.5; |
| font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| } |
| |
| pre { |
| margin-top: 0.5em; |
| } |
| |
| h1, h2, h3, p { |
| font-family: Arial, sans serif; |
| } |
| |
| h1, h2, h3 { |
| border-bottom: solid #CCC 1px; |
| } |
| |
| .toc_element { |
| margin-top: 0.5em; |
| } |
| |
| .firstline { |
| margin-left: 2 em; |
| } |
| |
| .method { |
| margin-top: 1em; |
| border: solid 1px #CCC; |
| padding: 1em; |
| background: #EEE; |
| } |
| |
| .details { |
| font-weight: bold; |
| font-size: 14px; |
| } |
| |
| </style> |
| |
| <h1><a href="dlp_v2.html">Cloud Data Loss Prevention (DLP) API</a> . <a href="dlp_v2.projects.html">projects</a> . <a href="dlp_v2.projects.content.html">content</a></h1> |
| <h2>Instance Methods</h2> |
| <p class="toc_element"> |
| <code><a href="#deidentify">deidentify(parent, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">De-identifies potentially sensitive info from a ContentItem.</p> |
| <p class="toc_element"> |
| <code><a href="#inspect">inspect(parent, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Finds potentially sensitive info in content.</p> |
| <p class="toc_element"> |
| <code><a href="#reidentify">reidentify(parent, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Re-identifies content that has been de-identified.</p> |
| <h3>Method Details</h3> |
| <div class="method"> |
| <code class="details" id="deidentify">deidentify(parent, body, x__xgafv=None)</code> |
| <pre>De-identifies potentially sensitive info from a ContentItem. |
| This method has limits on input size and output size. |
| See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to |
| learn more. |
| |
| When no InfoTypes or CustomInfoTypes are specified in this request, the |
| system will automatically choose what detectors to run. By default this may |
| be all types, but may change over time as detectors are updated. |
| |
| Args: |
| parent: string, The parent resource name, for example projects/my-project-id. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # Request to de-identify a list of items. |
| "deidentifyTemplateName": "A String", # Optional template to use. Any configuration directly specified in |
| # deidentify_config will override those set in the template. Singular fields |
| # that are set in this request will replace their corresponding fields in the |
| # template. Repeated fields are appended. Singular sub-messages and groups |
| # are recursively merged. |
| "inspectTemplateName": "A String", # Optional template to use. Any configuration directly specified in |
| # inspect_config will override those set in the template. Singular fields |
| # that are set in this request will replace their corresponding fields in the |
| # template. Repeated fields are appended. Singular sub-messages and groups |
| # are recursively merged. |
| "deidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the de-identification of the content item. |
| # Items specified here will override the template referenced by the |
| # deidentify_template_name argument. |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text |
| # transformation everywhere. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. [required] |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required] |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing. |
| # For example, if your string is 555-555-5555 and you ask us to skip `-` and |
| # mask 5 chars with * we would produce ***-*55-5555. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "commonCharactersToIgnore": "A String", |
| "charactersToSkip": "A String", |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an |
| # alphabetic string such as name, or "0" for a numeric string such as ZIP |
| # code or credit card number. String must have length 1. If not supplied, we |
| # will default to "*" for strings, 0 for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # '0', number_to_mask is 14, and `reverse_order` is false, then |
| # 1234-5678-9012-3456 -> 00000000000000-3456 |
| # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order` |
| # is true, then 12345 -> 12*** |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: <info type name>(<surrogate character count>):<surrogate> |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value “-10”. [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value “89+”. |
| # [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required]. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a |
| # portion of the value. |
| "partToExtract": "A String", |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| }, |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past. |
| # [Required] |
| "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| # [Required] |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set method. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided |
| # the default behavior will be to hyphenate the min-max range. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required] |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62]. |
| "commonAlphabet": "A String", |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 62]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| }, |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| ], |
| }, |
| "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to |
| # specific locations within structured datasets, such as transforming |
| # a column within a table. |
| # table. |
| "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that |
| # match any suppression rule are omitted from the output [optional]. |
| { # Configuration to suppress records whose suppression conditions evaluate to |
| # true. |
| "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being |
| # evaluated to be suppressed from the transformed content. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. |
| "conditions": [ |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "operator": "A String", # Operator used to compare the field or infoType to the value. [required] |
| "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required] |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| }, |
| ], |
| "fieldTransformations": [ # Transform the record by applying various field transformations. |
| { # The transformation to apply to the field. |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively |
| # transform content that matches an `InfoType`. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. [required] |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required] |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing. |
| # For example, if your string is 555-555-5555 and you ask us to skip `-` and |
| # mask 5 chars with * we would produce ***-*55-5555. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "commonCharactersToIgnore": "A String", |
| "charactersToSkip": "A String", |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an |
| # alphabetic string such as name, or "0" for a numeric string such as ZIP |
| # code or credit card number. String must have length 1. If not supplied, we |
| # will default to "*" for strings, 0 for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # '0', number_to_mask is 14, and `reverse_order` is false, then |
| # 1234-5678-9012-3456 -> 00000000000000-3456 |
| # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order` |
| # is true, then 12345 -> 12*** |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: <info type name>(<surrogate character count>):<surrogate> |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value “-10”. [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value “89+”. |
| # [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required]. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a |
| # portion of the value. |
| "partToExtract": "A String", |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| }, |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past. |
| # [Required] |
| "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| # [Required] |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set method. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided |
| # the default behavior will be to hyphenate the min-max range. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required] |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62]. |
| "commonAlphabet": "A String", |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 62]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| }, |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| ], |
| }, |
| "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing. |
| # For example, if your string is 555-555-5555 and you ask us to skip `-` and |
| # mask 5 chars with * we would produce ***-*55-5555. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "commonCharactersToIgnore": "A String", |
| "charactersToSkip": "A String", |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an |
| # alphabetic string such as name, or "0" for a numeric string such as ZIP |
| # code or credit card number. String must have length 1. If not supplied, we |
| # will default to "*" for strings, 0 for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # '0', number_to_mask is 14, and `reverse_order` is false, then |
| # 1234-5678-9012-3456 -> 00000000000000-3456 |
| # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order` |
| # is true, then 12345 -> 12*** |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: <info type name>(<surrogate character count>):<surrogate> |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value “-10”. [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value “89+”. |
| # [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required]. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a |
| # portion of the value. |
| "partToExtract": "A String", |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| }, |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past. |
| # [Required] |
| "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| # [Required] |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set method. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided |
| # the default behavior will be to hyphenate the min-max range. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required] |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62]. |
| "commonAlphabet": "A String", |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 62]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| }, |
| "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the |
| # given `RecordCondition`. The conditions are allowed to reference fields |
| # that are not used in the actual transformation. [optional] |
| # |
| # Example Use Cases: |
| # |
| # - Apply a different bucket transformation to an age column if the zip code |
| # column for the same record is within a specific range. |
| # - Redact a field if the date of birth field is greater than 85. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. |
| "conditions": [ |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "operator": "A String", # Operator used to compare the field or infoType to the value. [required] |
| "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required] |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| "fields": [ # Input field(s) to apply the transformation to. [required] |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| }, |
| ], |
| }, |
| }, |
| "inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector. |
| # Items specified here will override the template referenced by the |
| # inspect_template_name argument. |
| # When used with redactContent only info_types and min_likelihood are currently |
| # used. |
| "excludeInfoTypes": True or False, # When true, excludes type information of the findings. |
| "limits": { |
| "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. |
| # When set within `InspectContentRequest`, the maximum returned is 2000 |
| # regardless if this is set higher. |
| "maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes. |
| { # Max findings configuration per infoType, per content item or long |
| # running DlpJob. |
| "infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per |
| # info_type should be provided. If InfoTypeLimit does not have an |
| # info_type, the DLP API applies the limit against all info_types that |
| # are found but not specified in another InfoTypeLimit. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| "maxFindings": 42, # Max findings limit for the given infoType. |
| }, |
| ], |
| "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. |
| # When set within `InspectDataSourceRequest`, |
| # the maximum returned is 2000 regardless if this is set higher. |
| # When set within `InspectContentRequest`, this field is ignored. |
| }, |
| "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is |
| # POSSIBLE. |
| # See https://cloud.google.com/dlp/docs/likelihood to learn more. |
| "customInfoTypes": [ # CustomInfoTypes provided by the user. See |
| # https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more. |
| { # Custom information type provided by the user. Used to find domain-specific |
| # sensitive information configurable to the data in question. |
| "regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType. |
| "pattern": "A String", # Pattern defining the regular expression. Its syntax |
| # (https://github.com/google/re2/wiki/Syntax) can be found under the |
| # google/re2 repository on GitHub. |
| "groupIndexes": [ # The index of the submatch to extract as findings. When not |
| # specified, the entire match is returned. No more than 3 may be included. |
| 42, |
| ], |
| }, |
| "surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that |
| # support reversing. |
| # such as |
| # [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). |
| # These types of transformations are |
| # those that perform pseudonymization, thereby producing a "surrogate" as |
| # output. This should be used in conjunction with a field on the |
| # transformation such as `surrogate_info_type`. This CustomInfoType does |
| # not support the use of `detection_rules`. |
| }, |
| "infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in |
| # infoType, when the name matches one of existing infoTypes and that infoType |
| # is specified in `InspectContent.info_types` field. Specifying the latter |
| # adds findings to the one detected by the system. If built-in info type is |
| # not specified in `InspectContent.info_types` list then the name is treated |
| # as a custom info type. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType. |
| # be used to match sensitive information specific to the data, such as a list |
| # of employee IDs or job titles. |
| # |
| # Dictionary words are case-insensitive and all characters other than letters |
| # and digits in the unicode [Basic Multilingual |
| # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) |
| # will be replaced with whitespace when scanning for matches, so the |
| # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", |
| # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters |
| # surrounding any match must be of a different type than the adjacent |
| # characters within the word, so letters must be next to non-letters and |
| # digits next to non-digits. For example, the dictionary word "jen" will |
| # match the first three letters of the text "jen123" but will return no |
| # matches for "jennifer". |
| # |
| # Dictionary words containing a large number of characters that are not |
| # letters or digits may result in unexpected findings because such characters |
| # are treated as whitespace. The |
| # [limits](https://cloud.google.com/dlp/limits) page contains details about |
| # the size limits of dictionaries. For dictionaries that do not fit within |
| # these constraints, consider using `LargeCustomDictionaryConfig` in the |
| # `StoredInfoType` API. |
| "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for. |
| "words": [ # Words or phrases defining the dictionary. The dictionary must contain |
| # at least one phrase and every phrase must contain at least 2 characters |
| # that are letters or digits. [required] |
| "A String", |
| ], |
| }, |
| "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file |
| # is accepted. |
| "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. |
| # Example: gs://[BUCKET_NAME]/dictionary.txt |
| }, |
| }, |
| "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in |
| # `InspectDataSource`. Not currently supported in `InspectContent`. |
| "name": "A String", # Resource name of the requested `StoredInfoType`, for example |
| # `organizations/433245324/storedInfoTypes/432452342` or |
| # `projects/project-id/storedInfoTypes/432452342`. |
| "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for |
| # inspection was created. Output-only field, populated by the system. |
| }, |
| "detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. |
| # Rules are applied in order that they are specified. Not supported for the |
| # `surrogate_type` CustomInfoType. |
| { # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a |
| # `CustomInfoType` to alter behavior under certain circumstances, depending |
| # on the specific details of the rule. Not supported for the `surrogate_type` |
| # custom infoType. |
| "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule. |
| # proximity of hotwords. |
| "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside. |
| # The total length of the window cannot exceed 1000 characters. Note that |
| # the finding itself will be included in the window, so that hotwords may |
| # be used to match substrings of the finding itself. For example, the |
| # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be |
| # adjusted upwards if the area code is known to be the local area code of |
| # a company office using the hotword regex "\(xxx\)", where "xxx" |
| # is the area code in question. |
| # rule. |
| "windowAfter": 42, # Number of characters after the finding to consider. |
| "windowBefore": 42, # Number of characters before the finding to consider. |
| }, |
| "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword. |
| "pattern": "A String", # Pattern defining the regular expression. Its syntax |
| # (https://github.com/google/re2/wiki/Syntax) can be found under the |
| # google/re2 repository on GitHub. |
| "groupIndexes": [ # The index of the submatch to extract as findings. When not |
| # specified, the entire match is returned. No more than 3 may be included. |
| 42, |
| ], |
| }, |
| "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings. |
| # part of a detection rule. |
| "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of |
| # levels. For example, if a finding would be `POSSIBLE` without the |
| # detection rule and `relative_likelihood` is 1, then it is upgraded to |
| # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. |
| # Likelihood may never drop below `VERY_UNLIKELY` or exceed |
| # `VERY_LIKELY`, so applying an adjustment of 1 followed by an |
| # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in |
| # a final likelihood of `LIKELY`. |
| "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value. |
| }, |
| }, |
| }, |
| ], |
| "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding |
| # to be returned. It still can be used for rules matching. |
| "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be |
| # altered by a detection rule if the finding meets the criteria specified by |
| # the rule. Defaults to `VERY_LIKELY` if not specified. |
| }, |
| ], |
| "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is |
| # included in the response; see Finding.quote. |
| "ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. |
| # Exclusion rules, contained in the set are executed in the end, other |
| # rules are executed in the order they are specified for each info type. |
| { # Rule set for modifying a set of infoTypes to alter behavior under certain |
| # circumstances, depending on the specific details of the rules within the set. |
| "rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order. |
| { # A single inspection rule to be applied to infoTypes, specified in |
| # `InspectionRuleSet`. |
| "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule. |
| # proximity of hotwords. |
| "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside. |
| # The total length of the window cannot exceed 1000 characters. Note that |
| # the finding itself will be included in the window, so that hotwords may |
| # be used to match substrings of the finding itself. For example, the |
| # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be |
| # adjusted upwards if the area code is known to be the local area code of |
| # a company office using the hotword regex "\(xxx\)", where "xxx" |
| # is the area code in question. |
| # rule. |
| "windowAfter": 42, # Number of characters after the finding to consider. |
| "windowBefore": 42, # Number of characters before the finding to consider. |
| }, |
| "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword. |
| "pattern": "A String", # Pattern defining the regular expression. Its syntax |
| # (https://github.com/google/re2/wiki/Syntax) can be found under the |
| # google/re2 repository on GitHub. |
| "groupIndexes": [ # The index of the submatch to extract as findings. When not |
| # specified, the entire match is returned. No more than 3 may be included. |
| 42, |
| ], |
| }, |
| "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings. |
| # part of a detection rule. |
| "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of |
| # levels. For example, if a finding would be `POSSIBLE` without the |
| # detection rule and `relative_likelihood` is 1, then it is upgraded to |
| # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. |
| # Likelihood may never drop below `VERY_UNLIKELY` or exceed |
| # `VERY_LIKELY`, so applying an adjustment of 1 followed by an |
| # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in |
| # a final likelihood of `LIKELY`. |
| "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value. |
| }, |
| }, |
| "exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule. |
| # `InspectionRuleSet` are removed from results. |
| "regex": { # Message defining a custom regular expression. # Regular expression which defines the rule. |
| "pattern": "A String", # Pattern defining the regular expression. Its syntax |
| # (https://github.com/google/re2/wiki/Syntax) can be found under the |
| # google/re2 repository on GitHub. |
| "groupIndexes": [ # The index of the submatch to extract as findings. When not |
| # specified, the entire match is returned. No more than 3 may be included. |
| 42, |
| ], |
| }, |
| "excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule. |
| "infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or |
| # contained within with a finding of an infoType from this list. For |
| # example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and |
| # `exclusion_rule` containing `exclude_info_types.info_types` with |
| # "EMAIL_ADDRESS" the phone number findings are dropped if they overlap |
| # with EMAIL_ADDRESS finding. |
| # That leads to "[email protected]" to generate only a single |
| # finding, namely email address. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule. |
| # be used to match sensitive information specific to the data, such as a list |
| # of employee IDs or job titles. |
| # |
| # Dictionary words are case-insensitive and all characters other than letters |
| # and digits in the unicode [Basic Multilingual |
| # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) |
| # will be replaced with whitespace when scanning for matches, so the |
| # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", |
| # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters |
| # surrounding any match must be of a different type than the adjacent |
| # characters within the word, so letters must be next to non-letters and |
| # digits next to non-digits. For example, the dictionary word "jen" will |
| # match the first three letters of the text "jen123" but will return no |
| # matches for "jennifer". |
| # |
| # Dictionary words containing a large number of characters that are not |
| # letters or digits may result in unexpected findings because such characters |
| # are treated as whitespace. The |
| # [limits](https://cloud.google.com/dlp/limits) page contains details about |
| # the size limits of dictionaries. For dictionaries that do not fit within |
| # these constraints, consider using `LargeCustomDictionaryConfig` in the |
| # `StoredInfoType` API. |
| "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for. |
| "words": [ # Words or phrases defining the dictionary. The dictionary must contain |
| # at least one phrase and every phrase must contain at least 2 characters |
| # that are letters or digits. [required] |
| "A String", |
| ], |
| }, |
| "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file |
| # is accepted. |
| "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. |
| # Example: gs://[BUCKET_NAME]/dictionary.txt |
| }, |
| }, |
| "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details. |
| }, |
| }, |
| ], |
| "infoTypes": [ # List of infoTypes this rule set is applied to. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| ], |
| "contentOptions": [ # List of options defining data content to scan. |
| # If empty, text, images, and other content will be included. |
| "A String", |
| ], |
| "infoTypes": [ # Restricts what info_types to look for. The values must correspond to |
| # InfoType values returned by ListInfoTypes or listed at |
| # https://cloud.google.com/dlp/docs/infotypes-reference. |
| # |
| # When no InfoTypes or CustomInfoTypes are specified in a request, the |
| # system may automatically choose what detectors to run. By default this may |
| # be all types, but may change over time as detectors are updated. |
| # |
| # The special InfoType name "ALL_BASIC" can be used to trigger all detectors, |
| # but may change over time as new InfoTypes are added. If you need precise |
| # control and predictability as to what detectors are run you should specify |
| # specific InfoTypes listed in the reference. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| "item": { # Container structure for the content to inspect. # The item to de-identify. Will be treated as text. |
| "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See |
| # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to |
| # learn more. |
| # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to |
| # learn more. |
| "headers": [ |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| "rows": [ |
| { |
| "values": [ |
| { # Set of primitive values supported by the system. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| ], |
| }, |
| ], |
| }, |
| "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`. |
| "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8. |
| "data": "A String", # Content data to inspect or redact. |
| }, |
| "value": "A String", # String data to inspect or redact. |
| }, |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Results of de-identifying a ContentItem. |
| "overview": { # Overview of the modifications that occurred. # An overview of the changes that were made on the `item`. |
| "transformationSummaries": [ # Transformations applied to the dataset. |
| { # Summary of a single transformation. |
| # Only one of 'transformation', 'field_transformation', or 'record_suppress' |
| # will be set. |
| "infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| "recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to # The specific suppression option these stats apply to. |
| # true. |
| "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being |
| # evaluated to be suppressed from the transformed content. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. |
| "conditions": [ |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "operator": "A String", # Operator used to compare the field or infoType to the value. [required] |
| "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required] |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| }, |
| "results": [ |
| { # A collection that informs the user the number of times a particular |
| # `TransformationResultCode` and error details occurred. |
| "count": "A String", |
| "code": "A String", |
| "details": "A String", # A place for warnings or errors to show up if a transformation didn't |
| # work as expected. |
| }, |
| ], |
| "field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId. |
| "name": "A String", # Name describing the field. |
| }, |
| "fieldTransformations": [ # The field transformation that was applied. |
| # If multiple field transformations are requested for a single field, |
| # this list will contain all of them; otherwise, only one is supplied. |
| { # The transformation to apply to the field. |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively |
| # transform content that matches an `InfoType`. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. [required] |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required] |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing. |
| # For example, if your string is 555-555-5555 and you ask us to skip `-` and |
| # mask 5 chars with * we would produce ***-*55-5555. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "commonCharactersToIgnore": "A String", |
| "charactersToSkip": "A String", |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an |
| # alphabetic string such as name, or "0" for a numeric string such as ZIP |
| # code or credit card number. String must have length 1. If not supplied, we |
| # will default to "*" for strings, 0 for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # '0', number_to_mask is 14, and `reverse_order` is false, then |
| # 1234-5678-9012-3456 -> 00000000000000-3456 |
| # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order` |
| # is true, then 12345 -> 12*** |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: <info type name>(<surrogate character count>):<surrogate> |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value “-10”. [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value “89+”. |
| # [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required]. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a |
| # portion of the value. |
| "partToExtract": "A String", |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| }, |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past. |
| # [Required] |
| "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| # [Required] |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set method. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided |
| # the default behavior will be to hyphenate the min-max range. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required] |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62]. |
| "commonAlphabet": "A String", |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 62]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| }, |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| ], |
| }, |
| "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing. |
| # For example, if your string is 555-555-5555 and you ask us to skip `-` and |
| # mask 5 chars with * we would produce ***-*55-5555. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "commonCharactersToIgnore": "A String", |
| "charactersToSkip": "A String", |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an |
| # alphabetic string such as name, or "0" for a numeric string such as ZIP |
| # code or credit card number. String must have length 1. If not supplied, we |
| # will default to "*" for strings, 0 for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # '0', number_to_mask is 14, and `reverse_order` is false, then |
| # 1234-5678-9012-3456 -> 00000000000000-3456 |
| # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order` |
| # is true, then 12345 -> 12*** |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: <info type name>(<surrogate character count>):<surrogate> |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value “-10”. [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value “89+”. |
| # [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required]. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a |
| # portion of the value. |
| "partToExtract": "A String", |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| }, |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past. |
| # [Required] |
| "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| # [Required] |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set method. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided |
| # the default behavior will be to hyphenate the min-max range. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required] |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62]. |
| "commonAlphabet": "A String", |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 62]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| }, |
| "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the |
| # given `RecordCondition`. The conditions are allowed to reference fields |
| # that are not used in the actual transformation. [optional] |
| # |
| # Example Use Cases: |
| # |
| # - Apply a different bucket transformation to an age column if the zip code |
| # column for the same record is within a specific range. |
| # - Redact a field if the date of birth field is greater than 85. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. |
| "conditions": [ |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "operator": "A String", # Operator used to compare the field or infoType to the value. [required] |
| "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required] |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| "fields": [ # Input field(s) to apply the transformation to. [required] |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| }, |
| ], |
| "transformedBytes": "A String", # Total size in bytes that were transformed in some way. |
| "transformation": { # A rule for transforming a value. # The specific transformation these stats apply to. |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing. |
| # For example, if your string is 555-555-5555 and you ask us to skip `-` and |
| # mask 5 chars with * we would produce ***-*55-5555. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "commonCharactersToIgnore": "A String", |
| "charactersToSkip": "A String", |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an |
| # alphabetic string such as name, or "0" for a numeric string such as ZIP |
| # code or credit card number. String must have length 1. If not supplied, we |
| # will default to "*" for strings, 0 for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # '0', number_to_mask is 14, and `reverse_order` is false, then |
| # 1234-5678-9012-3456 -> 00000000000000-3456 |
| # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order` |
| # is true, then 12345 -> 12*** |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: <info type name>(<surrogate character count>):<surrogate> |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value “-10”. [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value “89+”. |
| # [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required]. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a |
| # portion of the value. |
| "partToExtract": "A String", |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| }, |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past. |
| # [Required] |
| "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| # [Required] |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set method. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided |
| # the default behavior will be to hyphenate the min-max range. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required] |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62]. |
| "commonAlphabet": "A String", |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 62]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| }, |
| }, |
| ], |
| "transformedBytes": "A String", # Total size in bytes that were transformed in some way. |
| }, |
| "item": { # Container structure for the content to inspect. # The de-identified item. |
| "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See |
| # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to |
| # learn more. |
| # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to |
| # learn more. |
| "headers": [ |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| "rows": [ |
| { |
| "values": [ |
| { # Set of primitive values supported by the system. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| ], |
| }, |
| ], |
| }, |
| "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`. |
| "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8. |
| "data": "A String", # Content data to inspect or redact. |
| }, |
| "value": "A String", # String data to inspect or redact. |
| }, |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="inspect">inspect(parent, body, x__xgafv=None)</code> |
| <pre>Finds potentially sensitive info in content. |
| This method has limits on input size, processing time, and output size. |
| |
| When no InfoTypes or CustomInfoTypes are specified in this request, the |
| system will automatically choose what detectors to run. By default this may |
| be all types, but may change over time as detectors are updated. |
| |
| For how to guides, see https://cloud.google.com/dlp/docs/inspecting-images |
| and https://cloud.google.com/dlp/docs/inspecting-text, |
| |
| Args: |
| parent: string, The parent resource name, for example projects/my-project-id. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # Request to search for potentially sensitive info in a ContentItem. |
| "item": { # Container structure for the content to inspect. # The item to inspect. |
| "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See |
| # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to |
| # learn more. |
| # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to |
| # learn more. |
| "headers": [ |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| "rows": [ |
| { |
| "values": [ |
| { # Set of primitive values supported by the system. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| ], |
| }, |
| ], |
| }, |
| "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`. |
| "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8. |
| "data": "A String", # Content data to inspect or redact. |
| }, |
| "value": "A String", # String data to inspect or redact. |
| }, |
| "inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector. What specified here will override |
| # the template referenced by the inspect_template_name argument. |
| # When used with redactContent only info_types and min_likelihood are currently |
| # used. |
| "excludeInfoTypes": True or False, # When true, excludes type information of the findings. |
| "limits": { |
| "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. |
| # When set within `InspectContentRequest`, the maximum returned is 2000 |
| # regardless if this is set higher. |
| "maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes. |
| { # Max findings configuration per infoType, per content item or long |
| # running DlpJob. |
| "infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per |
| # info_type should be provided. If InfoTypeLimit does not have an |
| # info_type, the DLP API applies the limit against all info_types that |
| # are found but not specified in another InfoTypeLimit. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| "maxFindings": 42, # Max findings limit for the given infoType. |
| }, |
| ], |
| "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. |
| # When set within `InspectDataSourceRequest`, |
| # the maximum returned is 2000 regardless if this is set higher. |
| # When set within `InspectContentRequest`, this field is ignored. |
| }, |
| "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is |
| # POSSIBLE. |
| # See https://cloud.google.com/dlp/docs/likelihood to learn more. |
| "customInfoTypes": [ # CustomInfoTypes provided by the user. See |
| # https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more. |
| { # Custom information type provided by the user. Used to find domain-specific |
| # sensitive information configurable to the data in question. |
| "regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType. |
| "pattern": "A String", # Pattern defining the regular expression. Its syntax |
| # (https://github.com/google/re2/wiki/Syntax) can be found under the |
| # google/re2 repository on GitHub. |
| "groupIndexes": [ # The index of the submatch to extract as findings. When not |
| # specified, the entire match is returned. No more than 3 may be included. |
| 42, |
| ], |
| }, |
| "surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that |
| # support reversing. |
| # such as |
| # [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). |
| # These types of transformations are |
| # those that perform pseudonymization, thereby producing a "surrogate" as |
| # output. This should be used in conjunction with a field on the |
| # transformation such as `surrogate_info_type`. This CustomInfoType does |
| # not support the use of `detection_rules`. |
| }, |
| "infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in |
| # infoType, when the name matches one of existing infoTypes and that infoType |
| # is specified in `InspectContent.info_types` field. Specifying the latter |
| # adds findings to the one detected by the system. If built-in info type is |
| # not specified in `InspectContent.info_types` list then the name is treated |
| # as a custom info type. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType. |
| # be used to match sensitive information specific to the data, such as a list |
| # of employee IDs or job titles. |
| # |
| # Dictionary words are case-insensitive and all characters other than letters |
| # and digits in the unicode [Basic Multilingual |
| # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) |
| # will be replaced with whitespace when scanning for matches, so the |
| # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", |
| # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters |
| # surrounding any match must be of a different type than the adjacent |
| # characters within the word, so letters must be next to non-letters and |
| # digits next to non-digits. For example, the dictionary word "jen" will |
| # match the first three letters of the text "jen123" but will return no |
| # matches for "jennifer". |
| # |
| # Dictionary words containing a large number of characters that are not |
| # letters or digits may result in unexpected findings because such characters |
| # are treated as whitespace. The |
| # [limits](https://cloud.google.com/dlp/limits) page contains details about |
| # the size limits of dictionaries. For dictionaries that do not fit within |
| # these constraints, consider using `LargeCustomDictionaryConfig` in the |
| # `StoredInfoType` API. |
| "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for. |
| "words": [ # Words or phrases defining the dictionary. The dictionary must contain |
| # at least one phrase and every phrase must contain at least 2 characters |
| # that are letters or digits. [required] |
| "A String", |
| ], |
| }, |
| "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file |
| # is accepted. |
| "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. |
| # Example: gs://[BUCKET_NAME]/dictionary.txt |
| }, |
| }, |
| "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in |
| # `InspectDataSource`. Not currently supported in `InspectContent`. |
| "name": "A String", # Resource name of the requested `StoredInfoType`, for example |
| # `organizations/433245324/storedInfoTypes/432452342` or |
| # `projects/project-id/storedInfoTypes/432452342`. |
| "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for |
| # inspection was created. Output-only field, populated by the system. |
| }, |
| "detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. |
| # Rules are applied in order that they are specified. Not supported for the |
| # `surrogate_type` CustomInfoType. |
| { # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a |
| # `CustomInfoType` to alter behavior under certain circumstances, depending |
| # on the specific details of the rule. Not supported for the `surrogate_type` |
| # custom infoType. |
| "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule. |
| # proximity of hotwords. |
| "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside. |
| # The total length of the window cannot exceed 1000 characters. Note that |
| # the finding itself will be included in the window, so that hotwords may |
| # be used to match substrings of the finding itself. For example, the |
| # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be |
| # adjusted upwards if the area code is known to be the local area code of |
| # a company office using the hotword regex "\(xxx\)", where "xxx" |
| # is the area code in question. |
| # rule. |
| "windowAfter": 42, # Number of characters after the finding to consider. |
| "windowBefore": 42, # Number of characters before the finding to consider. |
| }, |
| "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword. |
| "pattern": "A String", # Pattern defining the regular expression. Its syntax |
| # (https://github.com/google/re2/wiki/Syntax) can be found under the |
| # google/re2 repository on GitHub. |
| "groupIndexes": [ # The index of the submatch to extract as findings. When not |
| # specified, the entire match is returned. No more than 3 may be included. |
| 42, |
| ], |
| }, |
| "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings. |
| # part of a detection rule. |
| "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of |
| # levels. For example, if a finding would be `POSSIBLE` without the |
| # detection rule and `relative_likelihood` is 1, then it is upgraded to |
| # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. |
| # Likelihood may never drop below `VERY_UNLIKELY` or exceed |
| # `VERY_LIKELY`, so applying an adjustment of 1 followed by an |
| # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in |
| # a final likelihood of `LIKELY`. |
| "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value. |
| }, |
| }, |
| }, |
| ], |
| "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding |
| # to be returned. It still can be used for rules matching. |
| "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be |
| # altered by a detection rule if the finding meets the criteria specified by |
| # the rule. Defaults to `VERY_LIKELY` if not specified. |
| }, |
| ], |
| "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is |
| # included in the response; see Finding.quote. |
| "ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. |
| # Exclusion rules, contained in the set are executed in the end, other |
| # rules are executed in the order they are specified for each info type. |
| { # Rule set for modifying a set of infoTypes to alter behavior under certain |
| # circumstances, depending on the specific details of the rules within the set. |
| "rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order. |
| { # A single inspection rule to be applied to infoTypes, specified in |
| # `InspectionRuleSet`. |
| "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule. |
| # proximity of hotwords. |
| "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside. |
| # The total length of the window cannot exceed 1000 characters. Note that |
| # the finding itself will be included in the window, so that hotwords may |
| # be used to match substrings of the finding itself. For example, the |
| # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be |
| # adjusted upwards if the area code is known to be the local area code of |
| # a company office using the hotword regex "\(xxx\)", where "xxx" |
| # is the area code in question. |
| # rule. |
| "windowAfter": 42, # Number of characters after the finding to consider. |
| "windowBefore": 42, # Number of characters before the finding to consider. |
| }, |
| "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword. |
| "pattern": "A String", # Pattern defining the regular expression. Its syntax |
| # (https://github.com/google/re2/wiki/Syntax) can be found under the |
| # google/re2 repository on GitHub. |
| "groupIndexes": [ # The index of the submatch to extract as findings. When not |
| # specified, the entire match is returned. No more than 3 may be included. |
| 42, |
| ], |
| }, |
| "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings. |
| # part of a detection rule. |
| "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of |
| # levels. For example, if a finding would be `POSSIBLE` without the |
| # detection rule and `relative_likelihood` is 1, then it is upgraded to |
| # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. |
| # Likelihood may never drop below `VERY_UNLIKELY` or exceed |
| # `VERY_LIKELY`, so applying an adjustment of 1 followed by an |
| # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in |
| # a final likelihood of `LIKELY`. |
| "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value. |
| }, |
| }, |
| "exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule. |
| # `InspectionRuleSet` are removed from results. |
| "regex": { # Message defining a custom regular expression. # Regular expression which defines the rule. |
| "pattern": "A String", # Pattern defining the regular expression. Its syntax |
| # (https://github.com/google/re2/wiki/Syntax) can be found under the |
| # google/re2 repository on GitHub. |
| "groupIndexes": [ # The index of the submatch to extract as findings. When not |
| # specified, the entire match is returned. No more than 3 may be included. |
| 42, |
| ], |
| }, |
| "excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule. |
| "infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or |
| # contained within with a finding of an infoType from this list. For |
| # example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and |
| # `exclusion_rule` containing `exclude_info_types.info_types` with |
| # "EMAIL_ADDRESS" the phone number findings are dropped if they overlap |
| # with EMAIL_ADDRESS finding. |
| # That leads to "[email protected]" to generate only a single |
| # finding, namely email address. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule. |
| # be used to match sensitive information specific to the data, such as a list |
| # of employee IDs or job titles. |
| # |
| # Dictionary words are case-insensitive and all characters other than letters |
| # and digits in the unicode [Basic Multilingual |
| # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) |
| # will be replaced with whitespace when scanning for matches, so the |
| # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", |
| # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters |
| # surrounding any match must be of a different type than the adjacent |
| # characters within the word, so letters must be next to non-letters and |
| # digits next to non-digits. For example, the dictionary word "jen" will |
| # match the first three letters of the text "jen123" but will return no |
| # matches for "jennifer". |
| # |
| # Dictionary words containing a large number of characters that are not |
| # letters or digits may result in unexpected findings because such characters |
| # are treated as whitespace. The |
| # [limits](https://cloud.google.com/dlp/limits) page contains details about |
| # the size limits of dictionaries. For dictionaries that do not fit within |
| # these constraints, consider using `LargeCustomDictionaryConfig` in the |
| # `StoredInfoType` API. |
| "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for. |
| "words": [ # Words or phrases defining the dictionary. The dictionary must contain |
| # at least one phrase and every phrase must contain at least 2 characters |
| # that are letters or digits. [required] |
| "A String", |
| ], |
| }, |
| "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file |
| # is accepted. |
| "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. |
| # Example: gs://[BUCKET_NAME]/dictionary.txt |
| }, |
| }, |
| "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details. |
| }, |
| }, |
| ], |
| "infoTypes": [ # List of infoTypes this rule set is applied to. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| ], |
| "contentOptions": [ # List of options defining data content to scan. |
| # If empty, text, images, and other content will be included. |
| "A String", |
| ], |
| "infoTypes": [ # Restricts what info_types to look for. The values must correspond to |
| # InfoType values returned by ListInfoTypes or listed at |
| # https://cloud.google.com/dlp/docs/infotypes-reference. |
| # |
| # When no InfoTypes or CustomInfoTypes are specified in a request, the |
| # system may automatically choose what detectors to run. By default this may |
| # be all types, but may change over time as detectors are updated. |
| # |
| # The special InfoType name "ALL_BASIC" can be used to trigger all detectors, |
| # but may change over time as new InfoTypes are added. If you need precise |
| # control and predictability as to what detectors are run you should specify |
| # specific InfoTypes listed in the reference. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| "inspectTemplateName": "A String", # Optional template to use. Any configuration directly specified in |
| # inspect_config will override those set in the template. Singular fields |
| # that are set in this request will replace their corresponding fields in the |
| # template. Repeated fields are appended. Singular sub-messages and groups |
| # are recursively merged. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Results of inspecting an item. |
| "result": { # All the findings for a single scanned item. # The findings. |
| "findingsTruncated": True or False, # If true, then this item might have more findings than were returned, |
| # and the findings returned are an arbitrary subset of all findings. |
| # The findings list might be truncated because the input items were too |
| # large, or because the server reached the maximum amount of resources |
| # allowed for a single API call. For best results, divide the input into |
| # smaller batches. |
| "findings": [ # List of findings for an item. |
| { # Represents a piece of potentially sensitive content. |
| "infoType": { # Type of information detected by the API. # The type of content that might have been found. |
| # Provided if `excluded_types` is false. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| "quote": "A String", # The content that was found. Even if the content is not textual, it |
| # may be converted to a textual representation here. |
| # Provided if `include_quote` is true and the finding is |
| # less than or equal to 4096 bytes long. If the finding exceeds 4096 bytes |
| # in length, the quote may be omitted. |
| "quoteInfo": { # Message for infoType-dependent details parsed from quote. # Contains data parsed from quotes. Only populated if include_quote was set |
| # to true and a supported infoType was requested. Currently supported |
| # infoTypes: DATE, DATE_OF_BIRTH and TIME. |
| "dateTime": { # Message for a date time object. # The date time indicated by the quote. |
| # e.g. 2018-01-01, 5th August. |
| "dayOfWeek": "A String", |
| "timeZone": { |
| "offsetMinutes": 42, # Set only if the offset can be determined. Positive for time ahead of UTC. |
| # E.g. For "UTC-9", this value is -540. |
| }, |
| "date": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # One or more of the following must be set. All fields are optional, but |
| # when set must be valid date or time values. |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "time": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| }, |
| }, |
| "location": { # Specifies the location of the finding. # Where the content was found. |
| "byteRange": { # Generic half-open interval [start, end) # Zero-based byte offsets delimiting the finding. |
| # These are relative to the finding's containing element. |
| # Note that when the content is not textual, this references |
| # the UTF-8 encoded textual representation of the content. |
| # Omitted if content is an image. |
| "start": "A String", # Index of the first character of the range (inclusive). |
| "end": "A String", # Index of the last character of the range (exclusive). |
| }, |
| "codepointRange": { # Generic half-open interval [start, end) # Unicode character offsets delimiting the finding. |
| # These are relative to the finding's containing element. |
| # Provided when the content is text. |
| "start": "A String", # Index of the first character of the range (inclusive). |
| "end": "A String", # Index of the last character of the range (exclusive). |
| }, |
| "contentLocations": [ # List of nested objects pointing to the precise location of the finding |
| # within the file or record. |
| { # Findings container location data. |
| "containerName": "A String", # Name of the container where the finding is located. |
| # The top level name is the source file name or table name. Names of some |
| # common storage containers are formatted as follows: |
| # |
| # * BigQuery tables: `<project_id>:<dataset_id>.<table_id>` |
| # * Cloud Storage files: `gs://<bucket>/<path>` |
| # * Datastore namespace: <namespace> |
| # |
| # Nested names could be absent if the embedded object has no string |
| # identifier (for an example an image contained within a document). |
| "containerVersion": "A String", # Findings container version, if available |
| # ("generation" for Google Cloud Storage). |
| "containerTimestamp": "A String", # Findings container modification timestamp, if applicable. |
| # For Google Cloud Storage contains last file modification timestamp. |
| # For BigQuery table contains last_modified_time property. |
| # For Datastore - not populated. |
| "documentLocation": { # Location of a finding within a document. # Location data for document files. |
| "fileOffset": "A String", # Offset of the line, from the beginning of the file, where the finding |
| # is located. |
| }, |
| "imageLocation": { # Location of the finding within an image. # Location within an image's pixels. |
| "boundingBoxes": [ # Bounding boxes locating the pixels within the image containing the finding. |
| { # Bounding box encompassing detected text within an image. |
| "width": 42, # Width of the bounding box in pixels. |
| "top": 42, # Top coordinate of the bounding box. (0,0) is upper left. |
| "left": 42, # Left coordinate of the bounding box. (0,0) is upper left. |
| "height": 42, # Height of the bounding box in pixels. |
| }, |
| ], |
| }, |
| "recordLocation": { # Location of a finding within a row or record. # Location within a row or record of a database table. |
| "fieldId": { # General identifier of a data field in a storage service. # Field id of the field containing the finding. |
| "name": "A String", # Name describing the field. |
| }, |
| "tableLocation": { # Location of a finding within a table. # Location within a `ContentItem.Table`. |
| "rowIndex": "A String", # The zero-based index of the row where the finding is located. |
| }, |
| "recordKey": { # Message for a unique key indicating a record that contains a finding. # Key of the finding. |
| "bigQueryKey": { # Row key for identifying a record in BigQuery table. |
| "tableReference": { # Message defining the location of a BigQuery table. A table is uniquely # Complete BigQuery table reference. |
| # identified by its project_id, dataset_id, and table_name. Within a query |
| # a table is often referenced with a string in the format of: |
| # `<project_id>:<dataset_id>.<table_id>` or |
| # `<project_id>.<dataset_id>.<table_id>`. |
| "projectId": "A String", # The Google Cloud Platform project ID of the project containing the table. |
| # If omitted, project ID is inferred from the API call. |
| "tableId": "A String", # Name of the table. |
| "datasetId": "A String", # Dataset ID of the table. |
| }, |
| "rowNumber": "A String", # Absolute number of the row from the beginning of the table at the time |
| # of scanning. |
| }, |
| "idValues": [ # Values of identifying columns in the given row. Order of values matches |
| # the order of field identifiers specified in the scanning request. |
| "A String", |
| ], |
| "datastoreKey": { # Record key for a finding in Cloud Datastore. |
| "entityKey": { # A unique identifier for a Datastore entity. # Datastore entity key. |
| # If a key's partition ID or any of its path kinds or names are |
| # reserved/read-only, the key is reserved/read-only. |
| # A reserved/read-only key is forbidden in certain documented contexts. |
| "path": [ # The entity path. |
| # An entity path consists of one or more elements composed of a kind and a |
| # string or numerical identifier, which identify entities. The first |
| # element identifies a _root entity_, the second element identifies |
| # a _child_ of the root entity, the third element identifies a child of the |
| # second entity, and so forth. The entities identified by all prefixes of |
| # the path are called the element's _ancestors_. |
| # |
| # A path can never be empty, and a path can have at most 100 elements. |
| { # A (kind, ID/name) pair used to construct a key path. |
| # |
| # If either name or ID is set, the element is complete. |
| # If neither is set, the element is incomplete. |
| "kind": "A String", # The kind of the entity. |
| # A kind matching regex `__.*__` is reserved/read-only. |
| # A kind must not contain more than 1500 bytes when UTF-8 encoded. |
| # Cannot be `""`. |
| "name": "A String", # The name of the entity. |
| # A name matching regex `__.*__` is reserved/read-only. |
| # A name must not be more than 1500 bytes when UTF-8 encoded. |
| # Cannot be `""`. |
| "id": "A String", # The auto-allocated ID of the entity. |
| # Never equal to zero. Values less than zero are discouraged and may not |
| # be supported in the future. |
| }, |
| ], |
| "partitionId": { # Datastore partition ID. # Entities are partitioned into subsets, currently identified by a project |
| # ID and namespace ID. |
| # Queries are scoped to a single partition. |
| # A partition ID identifies a grouping of entities. The grouping is always |
| # by project and namespace, however the namespace ID may be empty. |
| # |
| # A partition ID contains several dimensions: |
| # project ID and namespace ID. |
| "projectId": "A String", # The ID of the project to which the entities belong. |
| "namespaceId": "A String", # If not empty, the ID of the namespace to which the entities belong. |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| ], |
| }, |
| "likelihood": "A String", # Confidence of how likely it is that the `info_type` is correct. |
| "createTime": "A String", # Timestamp when finding was detected. |
| }, |
| ], |
| }, |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="reidentify">reidentify(parent, body, x__xgafv=None)</code> |
| <pre>Re-identifies content that has been de-identified. |
| See |
| https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example |
| to learn more. |
| |
| Args: |
| parent: string, The parent resource name. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # Request to re-identify an item. |
| "reidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the re-identification of the content item. |
| # This field shares the same proto message type that is used for |
| # de-identification, however its usage here is for the reversal of the |
| # previous de-identification. Re-identification is performed by examining |
| # the transformations used to de-identify the items and executing the |
| # reverse. This requires that only reversible transformations |
| # be provided here. The reversible transformations are: |
| # |
| # - `CryptoReplaceFfxFpeConfig` |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text |
| # transformation everywhere. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. [required] |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required] |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing. |
| # For example, if your string is 555-555-5555 and you ask us to skip `-` and |
| # mask 5 chars with * we would produce ***-*55-5555. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "commonCharactersToIgnore": "A String", |
| "charactersToSkip": "A String", |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an |
| # alphabetic string such as name, or "0" for a numeric string such as ZIP |
| # code or credit card number. String must have length 1. If not supplied, we |
| # will default to "*" for strings, 0 for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # '0', number_to_mask is 14, and `reverse_order` is false, then |
| # 1234-5678-9012-3456 -> 00000000000000-3456 |
| # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order` |
| # is true, then 12345 -> 12*** |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: <info type name>(<surrogate character count>):<surrogate> |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value “-10”. [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value “89+”. |
| # [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required]. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a |
| # portion of the value. |
| "partToExtract": "A String", |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| }, |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past. |
| # [Required] |
| "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| # [Required] |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set method. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided |
| # the default behavior will be to hyphenate the min-max range. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required] |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62]. |
| "commonAlphabet": "A String", |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 62]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| }, |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| ], |
| }, |
| "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to |
| # specific locations within structured datasets, such as transforming |
| # a column within a table. |
| # table. |
| "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that |
| # match any suppression rule are omitted from the output [optional]. |
| { # Configuration to suppress records whose suppression conditions evaluate to |
| # true. |
| "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being |
| # evaluated to be suppressed from the transformed content. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. |
| "conditions": [ |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "operator": "A String", # Operator used to compare the field or infoType to the value. [required] |
| "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required] |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| }, |
| ], |
| "fieldTransformations": [ # Transform the record by applying various field transformations. |
| { # The transformation to apply to the field. |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively |
| # transform content that matches an `InfoType`. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. [required] |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required] |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing. |
| # For example, if your string is 555-555-5555 and you ask us to skip `-` and |
| # mask 5 chars with * we would produce ***-*55-5555. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "commonCharactersToIgnore": "A String", |
| "charactersToSkip": "A String", |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an |
| # alphabetic string such as name, or "0" for a numeric string such as ZIP |
| # code or credit card number. String must have length 1. If not supplied, we |
| # will default to "*" for strings, 0 for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # '0', number_to_mask is 14, and `reverse_order` is false, then |
| # 1234-5678-9012-3456 -> 00000000000000-3456 |
| # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order` |
| # is true, then 12345 -> 12*** |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: <info type name>(<surrogate character count>):<surrogate> |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value “-10”. [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value “89+”. |
| # [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required]. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a |
| # portion of the value. |
| "partToExtract": "A String", |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| }, |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past. |
| # [Required] |
| "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| # [Required] |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set method. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided |
| # the default behavior will be to hyphenate the min-max range. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required] |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62]. |
| "commonAlphabet": "A String", |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 62]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| }, |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| ], |
| }, |
| "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing. |
| # For example, if your string is 555-555-5555 and you ask us to skip `-` and |
| # mask 5 chars with * we would produce ***-*55-5555. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "commonCharactersToIgnore": "A String", |
| "charactersToSkip": "A String", |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an |
| # alphabetic string such as name, or "0" for a numeric string such as ZIP |
| # code or credit card number. String must have length 1. If not supplied, we |
| # will default to "*" for strings, 0 for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # '0', number_to_mask is 14, and `reverse_order` is false, then |
| # 1234-5678-9012-3456 -> 00000000000000-3456 |
| # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order` |
| # is true, then 12345 -> 12*** |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: <info type name>(<surrogate character count>):<surrogate> |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value “-10”. [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value “89+”. |
| # [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required]. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a |
| # portion of the value. |
| "partToExtract": "A String", |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| }, |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past. |
| # [Required] |
| "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| # [Required] |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set method. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided |
| # the default behavior will be to hyphenate the min-max range. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required] |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62]. |
| "commonAlphabet": "A String", |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 62]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| }, |
| "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the |
| # given `RecordCondition`. The conditions are allowed to reference fields |
| # that are not used in the actual transformation. [optional] |
| # |
| # Example Use Cases: |
| # |
| # - Apply a different bucket transformation to an age column if the zip code |
| # column for the same record is within a specific range. |
| # - Redact a field if the date of birth field is greater than 85. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. |
| "conditions": [ |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "operator": "A String", # Operator used to compare the field or infoType to the value. [required] |
| "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required] |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| "fields": [ # Input field(s) to apply the transformation to. [required] |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| }, |
| ], |
| }, |
| }, |
| "reidentifyTemplateName": "A String", # Optional template to use. References an instance of `DeidentifyTemplate`. |
| # Any configuration directly specified in `reidentify_config` or |
| # `inspect_config` will override those set in the template. Singular fields |
| # that are set in this request will replace their corresponding fields in the |
| # template. Repeated fields are appended. Singular sub-messages and groups |
| # are recursively merged. |
| "inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector. |
| # When used with redactContent only info_types and min_likelihood are currently |
| # used. |
| "excludeInfoTypes": True or False, # When true, excludes type information of the findings. |
| "limits": { |
| "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. |
| # When set within `InspectContentRequest`, the maximum returned is 2000 |
| # regardless if this is set higher. |
| "maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes. |
| { # Max findings configuration per infoType, per content item or long |
| # running DlpJob. |
| "infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per |
| # info_type should be provided. If InfoTypeLimit does not have an |
| # info_type, the DLP API applies the limit against all info_types that |
| # are found but not specified in another InfoTypeLimit. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| "maxFindings": 42, # Max findings limit for the given infoType. |
| }, |
| ], |
| "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. |
| # When set within `InspectDataSourceRequest`, |
| # the maximum returned is 2000 regardless if this is set higher. |
| # When set within `InspectContentRequest`, this field is ignored. |
| }, |
| "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is |
| # POSSIBLE. |
| # See https://cloud.google.com/dlp/docs/likelihood to learn more. |
| "customInfoTypes": [ # CustomInfoTypes provided by the user. See |
| # https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more. |
| { # Custom information type provided by the user. Used to find domain-specific |
| # sensitive information configurable to the data in question. |
| "regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType. |
| "pattern": "A String", # Pattern defining the regular expression. Its syntax |
| # (https://github.com/google/re2/wiki/Syntax) can be found under the |
| # google/re2 repository on GitHub. |
| "groupIndexes": [ # The index of the submatch to extract as findings. When not |
| # specified, the entire match is returned. No more than 3 may be included. |
| 42, |
| ], |
| }, |
| "surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that |
| # support reversing. |
| # such as |
| # [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). |
| # These types of transformations are |
| # those that perform pseudonymization, thereby producing a "surrogate" as |
| # output. This should be used in conjunction with a field on the |
| # transformation such as `surrogate_info_type`. This CustomInfoType does |
| # not support the use of `detection_rules`. |
| }, |
| "infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in |
| # infoType, when the name matches one of existing infoTypes and that infoType |
| # is specified in `InspectContent.info_types` field. Specifying the latter |
| # adds findings to the one detected by the system. If built-in info type is |
| # not specified in `InspectContent.info_types` list then the name is treated |
| # as a custom info type. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType. |
| # be used to match sensitive information specific to the data, such as a list |
| # of employee IDs or job titles. |
| # |
| # Dictionary words are case-insensitive and all characters other than letters |
| # and digits in the unicode [Basic Multilingual |
| # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) |
| # will be replaced with whitespace when scanning for matches, so the |
| # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", |
| # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters |
| # surrounding any match must be of a different type than the adjacent |
| # characters within the word, so letters must be next to non-letters and |
| # digits next to non-digits. For example, the dictionary word "jen" will |
| # match the first three letters of the text "jen123" but will return no |
| # matches for "jennifer". |
| # |
| # Dictionary words containing a large number of characters that are not |
| # letters or digits may result in unexpected findings because such characters |
| # are treated as whitespace. The |
| # [limits](https://cloud.google.com/dlp/limits) page contains details about |
| # the size limits of dictionaries. For dictionaries that do not fit within |
| # these constraints, consider using `LargeCustomDictionaryConfig` in the |
| # `StoredInfoType` API. |
| "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for. |
| "words": [ # Words or phrases defining the dictionary. The dictionary must contain |
| # at least one phrase and every phrase must contain at least 2 characters |
| # that are letters or digits. [required] |
| "A String", |
| ], |
| }, |
| "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file |
| # is accepted. |
| "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. |
| # Example: gs://[BUCKET_NAME]/dictionary.txt |
| }, |
| }, |
| "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in |
| # `InspectDataSource`. Not currently supported in `InspectContent`. |
| "name": "A String", # Resource name of the requested `StoredInfoType`, for example |
| # `organizations/433245324/storedInfoTypes/432452342` or |
| # `projects/project-id/storedInfoTypes/432452342`. |
| "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for |
| # inspection was created. Output-only field, populated by the system. |
| }, |
| "detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. |
| # Rules are applied in order that they are specified. Not supported for the |
| # `surrogate_type` CustomInfoType. |
| { # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a |
| # `CustomInfoType` to alter behavior under certain circumstances, depending |
| # on the specific details of the rule. Not supported for the `surrogate_type` |
| # custom infoType. |
| "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule. |
| # proximity of hotwords. |
| "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside. |
| # The total length of the window cannot exceed 1000 characters. Note that |
| # the finding itself will be included in the window, so that hotwords may |
| # be used to match substrings of the finding itself. For example, the |
| # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be |
| # adjusted upwards if the area code is known to be the local area code of |
| # a company office using the hotword regex "\(xxx\)", where "xxx" |
| # is the area code in question. |
| # rule. |
| "windowAfter": 42, # Number of characters after the finding to consider. |
| "windowBefore": 42, # Number of characters before the finding to consider. |
| }, |
| "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword. |
| "pattern": "A String", # Pattern defining the regular expression. Its syntax |
| # (https://github.com/google/re2/wiki/Syntax) can be found under the |
| # google/re2 repository on GitHub. |
| "groupIndexes": [ # The index of the submatch to extract as findings. When not |
| # specified, the entire match is returned. No more than 3 may be included. |
| 42, |
| ], |
| }, |
| "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings. |
| # part of a detection rule. |
| "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of |
| # levels. For example, if a finding would be `POSSIBLE` without the |
| # detection rule and `relative_likelihood` is 1, then it is upgraded to |
| # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. |
| # Likelihood may never drop below `VERY_UNLIKELY` or exceed |
| # `VERY_LIKELY`, so applying an adjustment of 1 followed by an |
| # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in |
| # a final likelihood of `LIKELY`. |
| "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value. |
| }, |
| }, |
| }, |
| ], |
| "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding |
| # to be returned. It still can be used for rules matching. |
| "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be |
| # altered by a detection rule if the finding meets the criteria specified by |
| # the rule. Defaults to `VERY_LIKELY` if not specified. |
| }, |
| ], |
| "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is |
| # included in the response; see Finding.quote. |
| "ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. |
| # Exclusion rules, contained in the set are executed in the end, other |
| # rules are executed in the order they are specified for each info type. |
| { # Rule set for modifying a set of infoTypes to alter behavior under certain |
| # circumstances, depending on the specific details of the rules within the set. |
| "rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order. |
| { # A single inspection rule to be applied to infoTypes, specified in |
| # `InspectionRuleSet`. |
| "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule. |
| # proximity of hotwords. |
| "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside. |
| # The total length of the window cannot exceed 1000 characters. Note that |
| # the finding itself will be included in the window, so that hotwords may |
| # be used to match substrings of the finding itself. For example, the |
| # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be |
| # adjusted upwards if the area code is known to be the local area code of |
| # a company office using the hotword regex "\(xxx\)", where "xxx" |
| # is the area code in question. |
| # rule. |
| "windowAfter": 42, # Number of characters after the finding to consider. |
| "windowBefore": 42, # Number of characters before the finding to consider. |
| }, |
| "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword. |
| "pattern": "A String", # Pattern defining the regular expression. Its syntax |
| # (https://github.com/google/re2/wiki/Syntax) can be found under the |
| # google/re2 repository on GitHub. |
| "groupIndexes": [ # The index of the submatch to extract as findings. When not |
| # specified, the entire match is returned. No more than 3 may be included. |
| 42, |
| ], |
| }, |
| "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings. |
| # part of a detection rule. |
| "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of |
| # levels. For example, if a finding would be `POSSIBLE` without the |
| # detection rule and `relative_likelihood` is 1, then it is upgraded to |
| # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. |
| # Likelihood may never drop below `VERY_UNLIKELY` or exceed |
| # `VERY_LIKELY`, so applying an adjustment of 1 followed by an |
| # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in |
| # a final likelihood of `LIKELY`. |
| "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value. |
| }, |
| }, |
| "exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule. |
| # `InspectionRuleSet` are removed from results. |
| "regex": { # Message defining a custom regular expression. # Regular expression which defines the rule. |
| "pattern": "A String", # Pattern defining the regular expression. Its syntax |
| # (https://github.com/google/re2/wiki/Syntax) can be found under the |
| # google/re2 repository on GitHub. |
| "groupIndexes": [ # The index of the submatch to extract as findings. When not |
| # specified, the entire match is returned. No more than 3 may be included. |
| 42, |
| ], |
| }, |
| "excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule. |
| "infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or |
| # contained within with a finding of an infoType from this list. For |
| # example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and |
| # `exclusion_rule` containing `exclude_info_types.info_types` with |
| # "EMAIL_ADDRESS" the phone number findings are dropped if they overlap |
| # with EMAIL_ADDRESS finding. |
| # That leads to "[email protected]" to generate only a single |
| # finding, namely email address. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule. |
| # be used to match sensitive information specific to the data, such as a list |
| # of employee IDs or job titles. |
| # |
| # Dictionary words are case-insensitive and all characters other than letters |
| # and digits in the unicode [Basic Multilingual |
| # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) |
| # will be replaced with whitespace when scanning for matches, so the |
| # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", |
| # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters |
| # surrounding any match must be of a different type than the adjacent |
| # characters within the word, so letters must be next to non-letters and |
| # digits next to non-digits. For example, the dictionary word "jen" will |
| # match the first three letters of the text "jen123" but will return no |
| # matches for "jennifer". |
| # |
| # Dictionary words containing a large number of characters that are not |
| # letters or digits may result in unexpected findings because such characters |
| # are treated as whitespace. The |
| # [limits](https://cloud.google.com/dlp/limits) page contains details about |
| # the size limits of dictionaries. For dictionaries that do not fit within |
| # these constraints, consider using `LargeCustomDictionaryConfig` in the |
| # `StoredInfoType` API. |
| "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for. |
| "words": [ # Words or phrases defining the dictionary. The dictionary must contain |
| # at least one phrase and every phrase must contain at least 2 characters |
| # that are letters or digits. [required] |
| "A String", |
| ], |
| }, |
| "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file |
| # is accepted. |
| "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. |
| # Example: gs://[BUCKET_NAME]/dictionary.txt |
| }, |
| }, |
| "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details. |
| }, |
| }, |
| ], |
| "infoTypes": [ # List of infoTypes this rule set is applied to. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| ], |
| "contentOptions": [ # List of options defining data content to scan. |
| # If empty, text, images, and other content will be included. |
| "A String", |
| ], |
| "infoTypes": [ # Restricts what info_types to look for. The values must correspond to |
| # InfoType values returned by ListInfoTypes or listed at |
| # https://cloud.google.com/dlp/docs/infotypes-reference. |
| # |
| # When no InfoTypes or CustomInfoTypes are specified in a request, the |
| # system may automatically choose what detectors to run. By default this may |
| # be all types, but may change over time as detectors are updated. |
| # |
| # The special InfoType name "ALL_BASIC" can be used to trigger all detectors, |
| # but may change over time as new InfoTypes are added. If you need precise |
| # control and predictability as to what detectors are run you should specify |
| # specific InfoTypes listed in the reference. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| "inspectTemplateName": "A String", # Optional template to use. Any configuration directly specified in |
| # `inspect_config` will override those set in the template. Singular fields |
| # that are set in this request will replace their corresponding fields in the |
| # template. Repeated fields are appended. Singular sub-messages and groups |
| # are recursively merged. |
| "item": { # Container structure for the content to inspect. # The item to re-identify. Will be treated as text. |
| "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See |
| # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to |
| # learn more. |
| # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to |
| # learn more. |
| "headers": [ |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| "rows": [ |
| { |
| "values": [ |
| { # Set of primitive values supported by the system. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| ], |
| }, |
| ], |
| }, |
| "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`. |
| "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8. |
| "data": "A String", # Content data to inspect or redact. |
| }, |
| "value": "A String", # String data to inspect or redact. |
| }, |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Results of re-identifying a item. |
| "overview": { # Overview of the modifications that occurred. # An overview of the changes that were made to the `item`. |
| "transformationSummaries": [ # Transformations applied to the dataset. |
| { # Summary of a single transformation. |
| # Only one of 'transformation', 'field_transformation', or 'record_suppress' |
| # will be set. |
| "infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| "recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to # The specific suppression option these stats apply to. |
| # true. |
| "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being |
| # evaluated to be suppressed from the transformed content. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. |
| "conditions": [ |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "operator": "A String", # Operator used to compare the field or infoType to the value. [required] |
| "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required] |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| }, |
| "results": [ |
| { # A collection that informs the user the number of times a particular |
| # `TransformationResultCode` and error details occurred. |
| "count": "A String", |
| "code": "A String", |
| "details": "A String", # A place for warnings or errors to show up if a transformation didn't |
| # work as expected. |
| }, |
| ], |
| "field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId. |
| "name": "A String", # Name describing the field. |
| }, |
| "fieldTransformations": [ # The field transformation that was applied. |
| # If multiple field transformations are requested for a single field, |
| # this list will contain all of them; otherwise, only one is supplied. |
| { # The transformation to apply to the field. |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively |
| # transform content that matches an `InfoType`. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. [required] |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required] |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing. |
| # For example, if your string is 555-555-5555 and you ask us to skip `-` and |
| # mask 5 chars with * we would produce ***-*55-5555. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "commonCharactersToIgnore": "A String", |
| "charactersToSkip": "A String", |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an |
| # alphabetic string such as name, or "0" for a numeric string such as ZIP |
| # code or credit card number. String must have length 1. If not supplied, we |
| # will default to "*" for strings, 0 for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # '0', number_to_mask is 14, and `reverse_order` is false, then |
| # 1234-5678-9012-3456 -> 00000000000000-3456 |
| # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order` |
| # is true, then 12345 -> 12*** |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: <info type name>(<surrogate character count>):<surrogate> |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value “-10”. [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value “89+”. |
| # [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required]. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a |
| # portion of the value. |
| "partToExtract": "A String", |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| }, |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past. |
| # [Required] |
| "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| # [Required] |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set method. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided |
| # the default behavior will be to hyphenate the min-max range. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required] |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62]. |
| "commonAlphabet": "A String", |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 62]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| }, |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| ], |
| }, |
| ], |
| }, |
| "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing. |
| # For example, if your string is 555-555-5555 and you ask us to skip `-` and |
| # mask 5 chars with * we would produce ***-*55-5555. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "commonCharactersToIgnore": "A String", |
| "charactersToSkip": "A String", |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an |
| # alphabetic string such as name, or "0" for a numeric string such as ZIP |
| # code or credit card number. String must have length 1. If not supplied, we |
| # will default to "*" for strings, 0 for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # '0', number_to_mask is 14, and `reverse_order` is false, then |
| # 1234-5678-9012-3456 -> 00000000000000-3456 |
| # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order` |
| # is true, then 12345 -> 12*** |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: <info type name>(<surrogate character count>):<surrogate> |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value “-10”. [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value “89+”. |
| # [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required]. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a |
| # portion of the value. |
| "partToExtract": "A String", |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| }, |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past. |
| # [Required] |
| "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| # [Required] |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set method. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided |
| # the default behavior will be to hyphenate the min-max range. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required] |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62]. |
| "commonAlphabet": "A String", |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 62]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| }, |
| "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the |
| # given `RecordCondition`. The conditions are allowed to reference fields |
| # that are not used in the actual transformation. [optional] |
| # |
| # Example Use Cases: |
| # |
| # - Apply a different bucket transformation to an age column if the zip code |
| # column for the same record is within a specific range. |
| # - Redact a field if the date of birth field is greater than 85. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. |
| "conditions": [ |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "operator": "A String", # Operator used to compare the field or infoType to the value. [required] |
| "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required] |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| "fields": [ # Input field(s) to apply the transformation to. [required] |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| }, |
| ], |
| "transformedBytes": "A String", # Total size in bytes that were transformed in some way. |
| "transformation": { # A rule for transforming a value. # The specific transformation these stats apply to. |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing. |
| # For example, if your string is 555-555-5555 and you ask us to skip `-` and |
| # mask 5 chars with * we would produce ***-*55-5555. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "commonCharactersToIgnore": "A String", |
| "charactersToSkip": "A String", |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an |
| # alphabetic string such as name, or "0" for a numeric string such as ZIP |
| # code or credit card number. String must have length 1. If not supplied, we |
| # will default to "*" for strings, 0 for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # '0', number_to_mask is 14, and `reverse_order` is false, then |
| # 1234-5678-9012-3456 -> 00000000000000-3456 |
| # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order` |
| # is true, then 12345 -> 12*** |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: <info type name>(<surrogate character count>):<surrogate> |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value “-10”. [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value “89+”. |
| # [Required]. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required]. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a |
| # portion of the value. |
| "partToExtract": "A String", |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| }, |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past. |
| # [Required] |
| "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| # [Required] |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set method. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided |
| # the default behavior will be to hyphenate the min-max range. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| ], |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required] |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required] |
| "wrappedKey": "A String", # The wrapped data crypto key. [required] |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # A 128/192/256 bit key. [required] |
| }, |
| "transient": { # Use this to have a random data crypto key generated. |
| # It will be discarded after the request finishes. |
| "name": "A String", # Name of the key. [required] |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62]. |
| "commonAlphabet": "A String", |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 62]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. InfoType names should conform to the pattern |
| # [a-zA-Z0-9_]{1,64}. |
| }, |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| }, |
| }, |
| }, |
| ], |
| "transformedBytes": "A String", # Total size in bytes that were transformed in some way. |
| }, |
| "item": { # Container structure for the content to inspect. # The re-identified item. |
| "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See |
| # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to |
| # learn more. |
| # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to |
| # learn more. |
| "headers": [ |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| "rows": [ |
| { |
| "values": [ |
| { # Set of primitive values supported by the system. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "floatValue": 3.14, |
| "timestampValue": "A String", |
| "dayOfWeekValue": "A String", |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| }, |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| }, |
| "stringValue": "A String", |
| "booleanValue": True or False, |
| "integerValue": "A String", |
| }, |
| ], |
| }, |
| ], |
| }, |
| "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`. |
| "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8. |
| "data": "A String", # Content data to inspect or redact. |
| }, |
| "value": "A String", # String data to inspect or redact. |
| }, |
| }</pre> |
| </div> |
| |
| </body></html> |
