Class: Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation

Inherits:

Object

• Object
• Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation

Extended by:

Protobuf::MessageExts::ClassMethods

Includes:

Protobuf::MessageExts

Defined in:

proto_docs/google/cloud/policytroubleshooter/v1/explanations.rb

Overview

Details about how a binding in a policy affects a member's ability to use a permission.

Defined Under Namespace

Modules: Membership, RolePermission Classes: AnnotatedMembership, MembershipsEntry

Instance Attribute Summary

• #access ⇒ ::Google::Cloud::PolicyTroubleshooter::V1::AccessState

  Required.

• #condition ⇒ ::Google::Type::Expr

  A condition expression that prevents access unless the expression evaluates to true.

• #memberships ⇒ ::Google::Protobuf::Map{::String => ::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::AnnotatedMembership}

  Indicates whether each member in the binding includes the member specified in the request, either directly or indirectly.

• #relevance ⇒ ::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance

  The relevance of this binding to the overall determination for the entire policy.

• #role ⇒ ::String

  The role that this binding grants.

• #role_permission ⇒ ::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::RolePermission

  Indicates whether the role granted by this binding contains the specified permission.

• #role_permission_relevance ⇒ ::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance

  The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy.

Instance Attribute Details

#access ⇒ ::Google::Cloud::PolicyTroubleshooter::V1::AccessState

Returns Required. Indicates whether this binding provides the specified permission to the specified member for the specified resource.

This field does not indicate whether the member actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the member actually has the permission, use the access field in the [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse].

Returns:

• (::Google::Cloud::PolicyTroubleshooter::V1::AccessState) —

  Required. Indicates whether this binding provides the specified permission to the specified member for the specified resource.

  This field does not indicate whether the member actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the member actually has the permission, use the access field in the [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse].

# File 'proto_docs/google/cloud/policytroubleshooter/v1/explanations.rb', line 162

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the member.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the member.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance]
  #     The relevance of the member's status to the overall determination for the
  #     binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Reserved for future use.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the member.
  module Membership
    # Reserved for future use.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the member. The member can be included directly
    # or indirectly. For example:
    #
    # * A member is included directly if that member is listed in the binding.
    # * A member is included indirectly if that member is in a Google group or
    #   G Suite domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the member.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The member is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end

#condition ⇒ ::Google::Type::Expr

Returns A condition expression that prevents access unless the expression evaluates to true.

To learn about IAM Conditions, see http://cloud.google.com/iam/help/conditions/overview.

Returns:

• (::Google::Type::Expr) —

  A condition expression that prevents access unless the expression evaluates to true.

  To learn about IAM Conditions, see http://cloud.google.com/iam/help/conditions/overview.

# File 'proto_docs/google/cloud/policytroubleshooter/v1/explanations.rb', line 162

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the member.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the member.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance]
  #     The relevance of the member's status to the overall determination for the
  #     binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Reserved for future use.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the member.
  module Membership
    # Reserved for future use.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the member. The member can be included directly
    # or indirectly. For example:
    #
    # * A member is included directly if that member is listed in the binding.
    # * A member is included indirectly if that member is in a Google group or
    #   G Suite domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the member.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The member is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end

#memberships ⇒ ::Google::Protobuf::Map{::String => ::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::AnnotatedMembership}

Returns Indicates whether each member in the binding includes the member specified in the request, either directly or indirectly. Each key identifies a member in the binding, and each value indicates whether the member in the binding includes the member in the request.

For example, suppose that a binding includes the following members:

• user:alice@example.com
• group:product-eng@example.com

You want to troubleshoot access for user:bob@example.com. This user is a member of the group group:product-eng@example.com.

For the first member in the binding, the key is user:alice@example.com, and the membership field in the value is set to MEMBERSHIP_NOT_INCLUDED.

For the second member in the binding, the key is group:product-eng@example.com, and the membership field in the value is set to MEMBERSHIP_INCLUDED.

Returns:

• (::Google::Protobuf::Map{::String => ::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::AnnotatedMembership}) —

  Indicates whether each member in the binding includes the member specified in the request, either directly or indirectly. Each key identifies a member in the binding, and each value indicates whether the member in the binding includes the member in the request.

  For example, suppose that a binding includes the following members:

  • user:alice@example.com
  • group:product-eng@example.com

  You want to troubleshoot access for user:bob@example.com. This user is a member of the group group:product-eng@example.com.

  For the first member in the binding, the key is user:alice@example.com, and the membership field in the value is set to MEMBERSHIP_NOT_INCLUDED.

  For the second member in the binding, the key is group:product-eng@example.com, and the membership field in the value is set to MEMBERSHIP_INCLUDED.

# File 'proto_docs/google/cloud/policytroubleshooter/v1/explanations.rb', line 162

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the member.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the member.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance]
  #     The relevance of the member's status to the overall determination for the
  #     binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Reserved for future use.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the member.
  module Membership
    # Reserved for future use.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the member. The member can be included directly
    # or indirectly. For example:
    #
    # * A member is included directly if that member is listed in the binding.
    # * A member is included indirectly if that member is in a Google group or
    #   G Suite domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the member.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The member is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end

#relevance ⇒ ::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance

Returns The relevance of this binding to the overall determination for the entire policy.

Returns:

• (::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance) —

  The relevance of this binding to the overall determination for the entire policy.

# File 'proto_docs/google/cloud/policytroubleshooter/v1/explanations.rb', line 162

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the member.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the member.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance]
  #     The relevance of the member's status to the overall determination for the
  #     binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Reserved for future use.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the member.
  module Membership
    # Reserved for future use.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the member. The member can be included directly
    # or indirectly. For example:
    #
    # * A member is included directly if that member is listed in the binding.
    # * A member is included indirectly if that member is in a Google group or
    #   G Suite domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the member.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The member is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end

#role ⇒ ::String

Returns The role that this binding grants. For example, roles/compute.serviceAgent.

For a complete list of predefined IAM roles, as well as the permissions in each role, see https://cloud.google.com/iam/help/roles/reference.

Returns:

• (::String) —

  The role that this binding grants. For example, roles/compute.serviceAgent.

  For a complete list of predefined IAM roles, as well as the permissions in each role, see https://cloud.google.com/iam/help/roles/reference.

# File 'proto_docs/google/cloud/policytroubleshooter/v1/explanations.rb', line 162

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the member.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the member.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance]
  #     The relevance of the member's status to the overall determination for the
  #     binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Reserved for future use.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the member.
  module Membership
    # Reserved for future use.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the member. The member can be included directly
    # or indirectly. For example:
    #
    # * A member is included directly if that member is listed in the binding.
    # * A member is included indirectly if that member is in a Google group or
    #   G Suite domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the member.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The member is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end

#role_permission ⇒ ::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::RolePermission

Returns Indicates whether the role granted by this binding contains the specified permission.

Returns:

• (::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::RolePermission) —

  Indicates whether the role granted by this binding contains the specified permission.

# File 'proto_docs/google/cloud/policytroubleshooter/v1/explanations.rb', line 162

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the member.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the member.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance]
  #     The relevance of the member's status to the overall determination for the
  #     binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Reserved for future use.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the member.
  module Membership
    # Reserved for future use.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the member. The member can be included directly
    # or indirectly. For example:
    #
    # * A member is included directly if that member is listed in the binding.
    # * A member is included indirectly if that member is in a Google group or
    #   G Suite domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the member.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The member is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end

#role_permission_relevance ⇒ ::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance

Returns The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy.

Returns:

• (::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance) —

  The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy.

# File 'proto_docs/google/cloud/policytroubleshooter/v1/explanations.rb', line 162

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the member.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the member.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::HeuristicRelevance]
  #     The relevance of the member's status to the overall determination for the
  #     binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicyTroubleshooter::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Reserved for future use.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the member.
  module Membership
    # Reserved for future use.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the member. The member can be included directly
    # or indirectly. For example:
    #
    # * A member is included directly if that member is listed in the binding.
    # * A member is included indirectly if that member is in a Google group or
    #   G Suite domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the member.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The sender of the request is not allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The member is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end