// Copyright 2021 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.identity.accesscontextmanager.v1; import "google/api/annotations.proto"; import "google/api/client.proto"; import "google/api/field_behavior.proto"; import "google/api/resource.proto"; import "google/identity/accesscontextmanager/v1/access_level.proto"; import "google/identity/accesscontextmanager/v1/access_policy.proto"; import "google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto"; import "google/identity/accesscontextmanager/v1/service_perimeter.proto"; import "google/longrunning/operations.proto"; import "google/protobuf/field_mask.proto"; option csharp_namespace = "Google.Identity.AccessContextManager.V1"; option go_package = "google.golang.org/genproto/googleapis/identity/accesscontextmanager/v1;accesscontextmanager"; option java_multiple_files = true; option java_outer_classname = "AccessContextManagerProto"; option java_package = "com.google.identity.accesscontextmanager.v1"; option objc_class_prefix = "GACM"; option php_namespace = "Google\\Identity\\AccessContextManager\\V1"; option ruby_package = "Google::Identity::AccessContextManager::V1"; // API for setting [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel] and [Service // Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] // for Google Cloud Projects. Each organization has one [AccessPolicy] // [google.identity.accesscontextmanager.v1.AccessPolicy] containing the // [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] // and [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter]. This // [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] is // applicable to all resources in the organization. // AccessPolicies service AccessContextManager { option (google.api.default_host) = "accesscontextmanager.googleapis.com"; option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; // List all [AccessPolicies] // [google.identity.accesscontextmanager.v1.AccessPolicy] under a // container. rpc ListAccessPolicies(ListAccessPoliciesRequest) returns (ListAccessPoliciesResponse) { option (google.api.http) = { get: "/v1/accessPolicies" }; } // Get an [AccessPolicy] // [google.identity.accesscontextmanager.v1.AccessPolicy] by name. rpc GetAccessPolicy(GetAccessPolicyRequest) returns (AccessPolicy) { option (google.api.http) = { get: "/v1/{name=accessPolicies/*}" }; option (google.api.method_signature) = "name"; } // Create an `AccessPolicy`. Fails if this organization already has a // `AccessPolicy`. The longrunning Operation will have a successful status // once the `AccessPolicy` has propagated to long-lasting storage. // Syntactic and basic semantic errors will be returned in `metadata` as a // BadRequest proto. rpc CreateAccessPolicy(AccessPolicy) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/accessPolicies" body: "*" }; option (google.longrunning.operation_info) = { response_type: "AccessPolicy" metadata_type: "AccessContextManagerOperationMetadata" }; } // Update an [AccessPolicy] // [google.identity.accesscontextmanager.v1.AccessPolicy]. The // longrunning Operation from this RPC will have a successful status once the // changes to the [AccessPolicy] // [google.identity.accesscontextmanager.v1.AccessPolicy] have propagated // to long-lasting storage. Syntactic and basic semantic errors will be // returned in `metadata` as a BadRequest proto. rpc UpdateAccessPolicy(UpdateAccessPolicyRequest) returns (google.longrunning.Operation) { option (google.api.http) = { patch: "/v1/{policy.name=accessPolicies/*}" body: "policy" }; option (google.api.method_signature) = "policy,update_mask"; option (google.longrunning.operation_info) = { response_type: "AccessPolicy" metadata_type: "AccessContextManagerOperationMetadata" }; } // Delete an [AccessPolicy] // [google.identity.accesscontextmanager.v1.AccessPolicy] by resource // name. The longrunning Operation will have a successful status once the // [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] // has been removed from long-lasting storage. rpc DeleteAccessPolicy(DeleteAccessPolicyRequest) returns (google.longrunning.Operation) { option (google.api.http) = { delete: "/v1/{name=accessPolicies/*}" }; option (google.api.method_signature) = "name"; option (google.longrunning.operation_info) = { response_type: "google.protobuf.Empty" metadata_type: "AccessContextManagerOperationMetadata" }; } // List all [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel] for an access // policy. rpc ListAccessLevels(ListAccessLevelsRequest) returns (ListAccessLevelsResponse) { option (google.api.http) = { get: "/v1/{parent=accessPolicies/*}/accessLevels" }; option (google.api.method_signature) = "parent"; } // Get an [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel] by resource // name. rpc GetAccessLevel(GetAccessLevelRequest) returns (AccessLevel) { option (google.api.http) = { get: "/v1/{name=accessPolicies/*/accessLevels/*}" }; option (google.api.method_signature) = "name"; } // Create an [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning // operation from this RPC will have a successful status once the [Access // Level] [google.identity.accesscontextmanager.v1.AccessLevel] has // propagated to long-lasting storage. [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel] containing // errors will result in an error response for the first error encountered. rpc CreateAccessLevel(CreateAccessLevelRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{parent=accessPolicies/*}/accessLevels" body: "access_level" }; option (google.api.method_signature) = "parent,access_level"; option (google.longrunning.operation_info) = { response_type: "AccessLevel" metadata_type: "AccessContextManagerOperationMetadata" }; } // Update an [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel]. The longrunning // operation from this RPC will have a successful status once the changes to // the [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel] have propagated // to long-lasting storage. [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel] containing // errors will result in an error response for the first error encountered. rpc UpdateAccessLevel(UpdateAccessLevelRequest) returns (google.longrunning.Operation) { option (google.api.http) = { patch: "/v1/{access_level.name=accessPolicies/*/accessLevels/*}" body: "access_level" }; option (google.api.method_signature) = "access_level,update_mask"; option (google.longrunning.operation_info) = { response_type: "AccessLevel" metadata_type: "AccessContextManagerOperationMetadata" }; } // Delete an [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel] by resource // name. The longrunning operation from this RPC will have a successful status // once the [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel] has been removed // from long-lasting storage. rpc DeleteAccessLevel(DeleteAccessLevelRequest) returns (google.longrunning.Operation) { option (google.api.http) = { delete: "/v1/{name=accessPolicies/*/accessLevels/*}" }; option (google.api.method_signature) = "name"; option (google.longrunning.operation_info) = { response_type: "google.protobuf.Empty" metadata_type: "AccessContextManagerOperationMetadata" }; } // Replace all existing [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel] in an [Access // Policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with // the [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel] provided. This // is done atomically. The longrunning operation from this RPC will have a // successful status once all replacements have propagated to long-lasting // storage. Replacements containing errors will result in an error response // for the first error encountered. Replacement will be cancelled on error, // existing [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel] will not be // affected. Operation.response field will contain // ReplaceAccessLevelsResponse. Removing [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing // [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] will result in // error. rpc ReplaceAccessLevels(ReplaceAccessLevelsRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{parent=accessPolicies/*}/accessLevels:replaceAll" body: "*" }; option (google.longrunning.operation_info) = { response_type: "ReplaceAccessLevelsResponse" metadata_type: "AccessContextManagerOperationMetadata" }; } // List all [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] for an // access policy. rpc ListServicePerimeters(ListServicePerimetersRequest) returns (ListServicePerimetersResponse) { option (google.api.http) = { get: "/v1/{parent=accessPolicies/*}/servicePerimeters" }; option (google.api.method_signature) = "parent"; } // Get a [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter] by resource // name. rpc GetServicePerimeter(GetServicePerimeterRequest) returns (ServicePerimeter) { option (google.api.http) = { get: "/v1/{name=accessPolicies/*/servicePerimeters/*}" }; option (google.api.method_signature) = "name"; } // Create a [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter]. The // longrunning operation from this RPC will have a successful status once the // [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter] has // propagated to long-lasting storage. [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] containing // errors will result in an error response for the first error encountered. rpc CreateServicePerimeter(CreateServicePerimeterRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{parent=accessPolicies/*}/servicePerimeters" body: "service_perimeter" }; option (google.api.method_signature) = "parent,service_perimeter"; option (google.longrunning.operation_info) = { response_type: "ServicePerimeter" metadata_type: "AccessContextManagerOperationMetadata" }; } // Update a [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter]. The // longrunning operation from this RPC will have a successful status once the // changes to the [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter] have // propagated to long-lasting storage. [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter] containing // errors will result in an error response for the first error encountered. rpc UpdateServicePerimeter(UpdateServicePerimeterRequest) returns (google.longrunning.Operation) { option (google.api.http) = { patch: "/v1/{service_perimeter.name=accessPolicies/*/servicePerimeters/*}" body: "service_perimeter" }; option (google.api.method_signature) = "service_perimeter,update_mask"; option (google.longrunning.operation_info) = { response_type: "ServicePerimeter" metadata_type: "AccessContextManagerOperationMetadata" }; } // Delete a [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter] by resource // name. The longrunning operation from this RPC will have a successful status // once the [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter] has been // removed from long-lasting storage. rpc DeleteServicePerimeter(DeleteServicePerimeterRequest) returns (google.longrunning.Operation) { option (google.api.http) = { delete: "/v1/{name=accessPolicies/*/servicePerimeters/*}" }; option (google.api.method_signature) = "name"; option (google.longrunning.operation_info) = { response_type: "google.protobuf.Empty" metadata_type: "AccessContextManagerOperationMetadata" }; } // Replace all existing [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] in an // [Access Policy] [google.identity.accesscontextmanager.v1.AccessPolicy] // with the [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] provided. // This is done atomically. The longrunning operation from this // RPC will have a successful status once all replacements have propagated to // long-lasting storage. Replacements containing errors will result in an // error response for the first error encountered. Replacement will be // cancelled on error, existing [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] will not be // affected. Operation.response field will contain // ReplaceServicePerimetersResponse. rpc ReplaceServicePerimeters(ReplaceServicePerimetersRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{parent=accessPolicies/*}/servicePerimeters:replaceAll" body: "*" }; option (google.longrunning.operation_info) = { response_type: "ReplaceServicePerimetersResponse" metadata_type: "AccessContextManagerOperationMetadata" }; } // Commit the dry-run spec for all the [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] in an // [Access Policy][google.identity.accesscontextmanager.v1.AccessPolicy]. // A commit operation on a Service Perimeter involves copying its `spec` field // to that Service Perimeter's `status` field. Only [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] with // `use_explicit_dry_run_spec` field set to true are affected by a commit // operation. The longrunning operation from this RPC will have a successful // status once the dry-run specs for all the [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] have been // committed. If a commit fails, it will cause the longrunning operation to // return an error response and the entire commit operation will be cancelled. // When successful, Operation.response field will contain // CommitServicePerimetersResponse. The `dry_run` and the `spec` fields will // be cleared after a successful commit operation. rpc CommitServicePerimeters(CommitServicePerimetersRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{parent=accessPolicies/*}/servicePerimeters:commit" body: "*" }; option (google.longrunning.operation_info) = { response_type: "CommitServicePerimetersResponse" metadata_type: "AccessContextManagerOperationMetadata" }; } // Lists all [GcpUserAccessBindings] // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] for a // Google Cloud organization. rpc ListGcpUserAccessBindings(ListGcpUserAccessBindingsRequest) returns (ListGcpUserAccessBindingsResponse) { option (google.api.http) = { get: "/v1/{parent=organizations/*}/gcpUserAccessBindings" }; option (google.api.method_signature) = "parent"; } // Gets the [GcpUserAccessBinding] // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] with // the given name. rpc GetGcpUserAccessBinding(GetGcpUserAccessBindingRequest) returns (GcpUserAccessBinding) { option (google.api.http) = { get: "/v1/{name=organizations/*/gcpUserAccessBindings/*}" }; option (google.api.method_signature) = "name"; } // Creates a [GcpUserAccessBinding] // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the // client specifies a [name] // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name], // the server will ignore it. Fails if a resource already exists with the same // [group_key] // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key]. // Completion of this long-running operation does not necessarily signify that // the new binding is deployed onto all affected users, which may take more // time. rpc CreateGcpUserAccessBinding(CreateGcpUserAccessBindingRequest) returns (google.longrunning.Operation) { option (google.api.http) = { post: "/v1/{parent=organizations/*}/gcpUserAccessBindings" body: "gcp_user_access_binding" }; option (google.api.method_signature) = "parent,gcp_user_access_binding"; option (google.longrunning.operation_info) = { response_type: "GcpUserAccessBinding" metadata_type: "GcpUserAccessBindingOperationMetadata" }; } // Updates a [GcpUserAccessBinding] // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. // Completion of this long-running operation does not necessarily signify that // the changed binding is deployed onto all affected users, which may take // more time. rpc UpdateGcpUserAccessBinding(UpdateGcpUserAccessBindingRequest) returns (google.longrunning.Operation) { option (google.api.http) = { patch: "/v1/{gcp_user_access_binding.name=organizations/*/gcpUserAccessBindings/*}" body: "gcp_user_access_binding" }; option (google.api.method_signature) = "gcp_user_access_binding,update_mask"; option (google.longrunning.operation_info) = { response_type: "GcpUserAccessBinding" metadata_type: "GcpUserAccessBindingOperationMetadata" }; } // Deletes a [GcpUserAccessBinding] // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. // Completion of this long-running operation does not necessarily signify that // the binding deletion is deployed onto all affected users, which may take // more time. rpc DeleteGcpUserAccessBinding(DeleteGcpUserAccessBindingRequest) returns (google.longrunning.Operation) { option (google.api.http) = { delete: "/v1/{name=organizations/*/gcpUserAccessBindings/*}" }; option (google.api.method_signature) = "name"; option (google.longrunning.operation_info) = { response_type: "google.protobuf.Empty" metadata_type: "GcpUserAccessBindingOperationMetadata" }; } } // A request to list all `AccessPolicies` for a container. message ListAccessPoliciesRequest { // Required. Resource name for the container to list AccessPolicy instances // from. // // Format: // `organizations/{org_id}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "cloudresourcemanager.googleapis.com/Organization" } ]; // Number of AccessPolicy instances to include in the list. Default 100. int32 page_size = 2; // Next page token for the next batch of AccessPolicy instances. Defaults to // the first page of results. string page_token = 3; } // A response to `ListAccessPoliciesRequest`. message ListAccessPoliciesResponse { // List of the AccessPolicy instances. repeated AccessPolicy access_policies = 1; // The pagination token to retrieve the next page of results. If the value is // empty, no further results remain. string next_page_token = 2; } // A request to get a particular `AccessPolicy`. message GetAccessPolicyRequest { // Required. Resource name for the access policy to get. // // Format `accessPolicies/{policy_id}` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "accesscontextmanager.googleapis.com/AccessPolicy" } ]; } // A request to update an `AccessPolicy`. message UpdateAccessPolicyRequest { // Required. The updated AccessPolicy. AccessPolicy policy = 1 [(google.api.field_behavior) = REQUIRED]; // Required. Mask to control which fields get updated. Must be non-empty. google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; } // A request to delete an `AccessPolicy`. message DeleteAccessPolicyRequest { // Required. Resource name for the access policy to delete. // // Format `accessPolicies/{policy_id}` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "accesscontextmanager.googleapis.com/AccessPolicy" } ]; } // A request to list all `AccessLevels` in an `AccessPolicy`. message ListAccessLevelsRequest { // Required. Resource name for the access policy to list [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel] from. // // Format: // `accessPolicies/{policy_id}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "accesscontextmanager.googleapis.com/AccessLevel" } ]; // Number of [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel] to include in // the list. Default 100. int32 page_size = 2; // Next page token for the next batch of [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel] instances. // Defaults to the first page of results. string page_token = 3; // Whether to return `BasicLevels` in the Cloud Common Expression language, as // `CustomLevels`, rather than as `BasicLevels`. Defaults to returning // `AccessLevels` in the format they were defined. LevelFormat access_level_format = 4; } // A response to `ListAccessLevelsRequest`. message ListAccessLevelsResponse { // List of the [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel] instances. repeated AccessLevel access_levels = 1; // The pagination token to retrieve the next page of results. If the value is // empty, no further results remain. string next_page_token = 2; } // A request to get a particular `AccessLevel`. message GetAccessLevelRequest { // Required. Resource name for the [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel]. // // Format: // `accessPolicies/{policy_id}/accessLevels/{access_level_id}` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "accesscontextmanager.googleapis.com/AccessLevel" } ]; // Whether to return `BasicLevels` in the Cloud Common Expression // Language rather than as `BasicLevels`. Defaults to AS_DEFINED, where // [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] // are returned as `BasicLevels` or `CustomLevels` based on how they were // created. If set to CEL, all [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel] are returned as // `CustomLevels`. In the CEL case, `BasicLevels` are translated to equivalent // `CustomLevels`. LevelFormat access_level_format = 2; } // A request to create an `AccessLevel`. message CreateAccessLevelRequest { // Required. Resource name for the access policy which owns this [Access // Level] [google.identity.accesscontextmanager.v1.AccessLevel]. // // Format: `accessPolicies/{policy_id}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "accesscontextmanager.googleapis.com/AccessLevel" } ]; // Required. The [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel] to create. // Syntactic correctness of the [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel] is a // precondition for creation. AccessLevel access_level = 2 [(google.api.field_behavior) = REQUIRED]; } // A request to update an `AccessLevel`. message UpdateAccessLevelRequest { // Required. The updated [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel]. Syntactic // correctness of the [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel] is a // precondition for creation. AccessLevel access_level = 1 [(google.api.field_behavior) = REQUIRED]; // Required. Mask to control which fields get updated. Must be non-empty. google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; } // A request to delete an `AccessLevel`. message DeleteAccessLevelRequest { // Required. Resource name for the [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel]. // // Format: // `accessPolicies/{policy_id}/accessLevels/{access_level_id}` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "accesscontextmanager.googleapis.com/AccessLevel" } ]; } // A request to replace all existing Access Levels in an Access Policy with // the Access Levels provided. This is done atomically. message ReplaceAccessLevelsRequest { // Required. Resource name for the access policy which owns these // [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel]. // // Format: `accessPolicies/{policy_id}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "accesscontextmanager.googleapis.com/AccessLevel" } ]; // Required. The desired [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel] that should // replace all existing [Access Levels] // [google.identity.accesscontextmanager.v1.AccessLevel] in the // [Access Policy] // [google.identity.accesscontextmanager.v1.AccessPolicy]. repeated AccessLevel access_levels = 2 [(google.api.field_behavior) = REQUIRED]; // Optional. The etag for the version of the [Access Policy] // [google.identity.accesscontextmanager.v1.AccessPolicy] that this // replace operation is to be performed on. If, at the time of replace, the // etag for the Access Policy stored in Access Context Manager is different // from the specified etag, then the replace operation will not be performed // and the call will fail. This field is not required. If etag is not // provided, the operation will be performed as if a valid etag is provided. string etag = 4; } // A response to ReplaceAccessLevelsRequest. This will be put inside of // Operation.response field. message ReplaceAccessLevelsResponse { // List of the [Access Level] // [google.identity.accesscontextmanager.v1.AccessLevel] instances. repeated AccessLevel access_levels = 1; } // A request to list all `ServicePerimeters` in an `AccessPolicy`. message ListServicePerimetersRequest { // Required. Resource name for the access policy to list [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] from. // // Format: // `accessPolicies/{policy_id}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "accesscontextmanager.googleapis.com/ServicePerimeter" } ]; // Number of [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] to include // in the list. Default 100. int32 page_size = 2; // Next page token for the next batch of [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances. // Defaults to the first page of results. string page_token = 3; } // A response to `ListServicePerimetersRequest`. message ListServicePerimetersResponse { // List of the [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances. repeated ServicePerimeter service_perimeters = 1; // The pagination token to retrieve the next page of results. If the value is // empty, no further results remain. string next_page_token = 2; } // A request to get a particular `ServicePerimeter`. message GetServicePerimeterRequest { // Required. Resource name for the [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter]. // // Format: // `accessPolicies/{policy_id}/servicePerimeters/{service_perimeters_id}` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "accesscontextmanager.googleapis.com/ServicePerimeter" } ]; } // A request to create a `ServicePerimeter`. message CreateServicePerimeterRequest { // Required. Resource name for the access policy which owns this [Service // Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter]. // // Format: `accessPolicies/{policy_id}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "accesscontextmanager.googleapis.com/ServicePerimeter" } ]; // Required. The [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter] to create. // Syntactic correctness of the [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter] is a // precondition for creation. ServicePerimeter service_perimeter = 2 [(google.api.field_behavior) = REQUIRED]; } // A request to update a `ServicePerimeter`. message UpdateServicePerimeterRequest { // Required. The updated `ServicePerimeter`. Syntactic correctness of the // `ServicePerimeter` is a precondition for creation. ServicePerimeter service_perimeter = 1 [(google.api.field_behavior) = REQUIRED]; // Required. Mask to control which fields get updated. Must be non-empty. google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; } // A request to delete a `ServicePerimeter`. message DeleteServicePerimeterRequest { // Required. Resource name for the [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter]. // // Format: // `accessPolicies/{policy_id}/servicePerimeters/{service_perimeter_id}` string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "accesscontextmanager.googleapis.com/ServicePerimeter" } ]; } // A request to replace all existing Service Perimeters in an Access Policy // with the Service Perimeters provided. This is done atomically. message ReplaceServicePerimetersRequest { // Required. Resource name for the access policy which owns these // [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter]. // // Format: `accessPolicies/{policy_id}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "accesscontextmanager.googleapis.com/ServicePerimeter" } ]; // Required. The desired [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] that should // replace all existing [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] in the // [Access Policy] // [google.identity.accesscontextmanager.v1.AccessPolicy]. repeated ServicePerimeter service_perimeters = 2 [(google.api.field_behavior) = REQUIRED]; // Optional. The etag for the version of the [Access Policy] // [google.identity.accesscontextmanager.v1.AccessPolicy] that this // replace operation is to be performed on. If, at the time of replace, the // etag for the Access Policy stored in Access Context Manager is different // from the specified etag, then the replace operation will not be performed // and the call will fail. This field is not required. If etag is not // provided, the operation will be performed as if a valid etag is provided. string etag = 3; } // A response to ReplaceServicePerimetersRequest. This will be put inside of // Operation.response field. message ReplaceServicePerimetersResponse { // List of the [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances. repeated ServicePerimeter service_perimeters = 1; } // A request to commit dry-run specs in all [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] belonging to // an [Access Policy][google.identity.accesscontextmanager.v1.AccessPolicy]. message CommitServicePerimetersRequest { // Required. Resource name for the parent [Access Policy] // [google.identity.accesscontextmanager.v1.AccessPolicy] which owns all // [Service Perimeters] // [google.identity.accesscontextmanager.v1.ServicePerimeter] in scope for // the commit operation. // // Format: `accessPolicies/{policy_id}` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { child_type: "accesscontextmanager.googleapis.com/ServicePerimeter" } ]; // Optional. The etag for the version of the [Access Policy] // [google.identity.accesscontextmanager.v1alpha.AccessPolicy] that this // commit operation is to be performed on. If, at the time of commit, the // etag for the Access Policy stored in Access Context Manager is different // from the specified etag, then the commit operation will not be performed // and the call will fail. This field is not required. If etag is not // provided, the operation will be performed as if a valid etag is provided. string etag = 2; } // A response to CommitServicePerimetersRequest. This will be put inside of // Operation.response field. message CommitServicePerimetersResponse { // List of all the [Service Perimeter] // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances in // the [Access Policy] // [google.identity.accesscontextmanager.v1.AccessPolicy]. repeated ServicePerimeter service_perimeters = 1; } // Request of [ListGcpUserAccessBindings] // [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings]. message ListGcpUserAccessBindingsRequest { // Required. Example: "organizations/256" string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "cloudresourcemanager.googleapis.com/Organization" } ]; // Optional. Maximum number of items to return. The server may return fewer items. // If left blank, the server may return any number of items. int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. If left blank, returns the first page. To enumerate all items, use the // [next_page_token] // [google.identity.accesscontextmanager.v1.ListGcpUserAccessBindingsResponse.next_page_token] // from your previous list operation. string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; } // The format used in an `AccessLevel`. enum LevelFormat { // The format was not specified. LEVEL_FORMAT_UNSPECIFIED = 0; // Uses the format the resource was defined in. BasicLevels are returned as // BasicLevels, CustomLevels are returned as CustomLevels. AS_DEFINED = 1; // Use Cloud Common Expression Language when returning the resource. Both // BasicLevels and CustomLevels are returned as CustomLevels. CEL = 2; } // Response of [ListGcpUserAccessBindings] // [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings]. message ListGcpUserAccessBindingsResponse { // [GcpUserAccessBinding] // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] repeated GcpUserAccessBinding gcp_user_access_bindings = 1; // Token to get the next page of items. If blank, there are no more items. string next_page_token = 2; } // Request of [GetGcpUserAccessBinding] // [google.identity.accesscontextmanager.v1.AccessContextManager.GetGcpUserAccessBinding]. message GetGcpUserAccessBindingRequest { // Required. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N" string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "accesscontextmanager.googleapis.com/GcpUserAccessBinding" } ]; } // Request of [CreateGcpUserAccessBinding] // [google.identity.accesscontextmanager.v1.AccessContextManager.CreateGcpUserAccessBinding]. message CreateGcpUserAccessBindingRequest { // Required. Example: "organizations/256" string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "cloudresourcemanager.googleapis.com/Organization" } ]; // Required. [GcpUserAccessBinding] // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] GcpUserAccessBinding gcp_user_access_binding = 2 [(google.api.field_behavior) = REQUIRED]; } // Request of [UpdateGcpUserAccessBinding] // [google.identity.accesscontextmanager.v1.AccessContextManager.UpdateGcpUserAccessBinding]. message UpdateGcpUserAccessBindingRequest { // Required. [GcpUserAccessBinding] // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] GcpUserAccessBinding gcp_user_access_binding = 1 [(google.api.field_behavior) = REQUIRED]; // Required. Only the fields specified in this mask are updated. Because name and // group_key cannot be changed, update_mask is required and must always be: // // update_mask { // paths: "access_levels" // } google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; } // Request of [DeleteGcpUserAccessBinding] // [google.identity.accesscontextmanager.v1.AccessContextManager.DeleteGcpUserAccessBinding]. message DeleteGcpUserAccessBindingRequest { // Required. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N" string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { type: "accesscontextmanager.googleapis.com/GcpUserAccessBinding" } ]; } // Currently, a completed operation means nothing. In the future, this metadata // and a completed operation may indicate that the binding has taken effect and // is affecting access decisions for all users. message GcpUserAccessBindingOperationMetadata { } // Metadata of Access Context Manager's Long Running Operations. message AccessContextManagerOperationMetadata { }