google-cloud-privileged_access_manager-v1 0.a → 0.1.0

data/proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb

@@ -0,0 +1,966 @@
+# frozen_string_literal: true
+
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
+
+
+module Google
+  module Cloud
+    module PrivilegedAccessManager
+      module V1
+        # Request message for `CheckOnboardingStatus` method.
+        # @!attribute [rw] parent
+        #   @return [::String]
+        #     Required. The resource for which the onboarding status should be checked.
+        #     Should be in one of the following formats:
+        #
+        #     * `projects/{project-number|project-id}/locations/{region}`
+        #     * `folders/{folder-number}/locations/{region}`
+        #     * `organizations/{organization-number}/locations/{region}`
+        class CheckOnboardingStatusRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Response message for `CheckOnboardingStatus` method.
+        # @!attribute [rw] service_account
+        #   @return [::String]
+        #     The service account that PAM uses to act on this resource.
+        # @!attribute [rw] findings
+        #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::CheckOnboardingStatusResponse::Finding>]
+        #     List of issues that are preventing PAM from functioning for this resource
+        #     and need to be fixed to complete onboarding. Some issues might not be
+        #     detected or reported.
+        class CheckOnboardingStatusResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # Finding represents an issue which prevents PAM from functioning properly
+          # for this resource.
+          # @!attribute [rw] iam_access_denied
+          #   @return [::Google::Cloud::PrivilegedAccessManager::V1::CheckOnboardingStatusResponse::Finding::IAMAccessDenied]
+          #     PAM's service account is being denied access by Cloud IAM.
+          class Finding
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # PAM's service account is being denied access by Cloud IAM.
+            # This can be fixed by granting a role that contains the missing
+            # permissions to the service account or exempting it from deny policies if
+            # they are blocking the access.
+            # @!attribute [rw] missing_permissions
+            #   @return [::Array<::String>]
+            #     List of permissions that are being denied.
+            class IAMAccessDenied
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+          end
+        end
+
+        # An entitlement defines the eligibility of a set of users to obtain
+        # predefined access for some time possibly after going through an approval
+        # workflow.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Identifier. Name of the entitlement.
+        #     Possible formats:
+        #
+        #     * `organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}`
+        #     * `folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}`
+        #     * `projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}`
+        # @!attribute [r] create_time
+        #   @return [::Google::Protobuf::Timestamp]
+        #     Output only. Create time stamp.
+        # @!attribute [r] update_time
+        #   @return [::Google::Protobuf::Timestamp]
+        #     Output only. Update time stamp.
+        # @!attribute [rw] eligible_users
+        #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::AccessControlEntry>]
+        #     Optional. Who can create grants using this entitlement. This list should
+        #     contain at most one entry.
+        # @!attribute [rw] approval_workflow
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::ApprovalWorkflow]
+        #     Optional. The approvals needed before access are granted to a requester. No
+        #     approvals are needed if this field is null.
+        # @!attribute [rw] privileged_access
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess]
+        #     The access granted to a requester on successful approval.
+        # @!attribute [rw] max_request_duration
+        #   @return [::Google::Protobuf::Duration]
+        #     Required. The maximum amount of time that access is granted for a request.
+        #     A requester can ask for a duration less than this, but never more.
+        # @!attribute [r] state
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::State]
+        #     Output only. Current state of this entitlement.
+        # @!attribute [rw] requester_justification_config
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::RequesterJustificationConfig]
+        #     Required. The manner in which the requester should provide a justification
+        #     for requesting access.
+        # @!attribute [rw] additional_notification_targets
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::AdditionalNotificationTargets]
+        #     Optional. Additional email addresses to be notified based on actions taken.
+        # @!attribute [rw] etag
+        #   @return [::String]
+        #     An `etag` is used for optimistic concurrency control as a way to prevent
+        #     simultaneous updates to the same entitlement. An `etag` is returned in the
+        #     response to `GetEntitlement` and the caller should put the `etag` in the
+        #     request to `UpdateEntitlement` so that their change is applied on
+        #     the same version. If this field is omitted or if there is a mismatch while
+        #     updating an entitlement, then the server rejects the request.
+        class Entitlement
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # Defines how a requester must provide a justification when requesting
+          # access.
+          # @!attribute [rw] not_mandatory
+          #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::RequesterJustificationConfig::NotMandatory]
+          #     This option means the requester isn't required to provide a
+          #     justification.
+          # @!attribute [rw] unstructured
+          #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::RequesterJustificationConfig::Unstructured]
+          #     This option means the requester must provide a string as
+          #     justification. If this is selected, the server allows the requester
+          #     to provide a justification but doesn't validate it.
+          class RequesterJustificationConfig
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # The justification is not mandatory but can be provided in any of the
+            # supported formats.
+            class NotMandatory
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+
+            # The requester has to provide a justification in the form of a string.
+            class Unstructured
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+          end
+
+          # AdditionalNotificationTargets includes email addresses to be notified.
+          # @!attribute [rw] admin_email_recipients
+          #   @return [::Array<::String>]
+          #     Optional. Additional email addresses to be notified when a principal
+          #     (requester) is granted access.
+          # @!attribute [rw] requester_email_recipients
+          #   @return [::Array<::String>]
+          #     Optional. Additional email address to be notified about an eligible
+          #     entitlement.
+          class AdditionalNotificationTargets
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Different states an entitlement can be in.
+          module State
+            # Unspecified state. This value is never returned by the server.
+            STATE_UNSPECIFIED = 0
+
+            # The entitlement is being created.
+            CREATING = 1
+
+            # The entitlement is available for requesting access.
+            AVAILABLE = 2
+
+            # The entitlement is being deleted.
+            DELETING = 3
+
+            # The entitlement has been deleted.
+            DELETED = 4
+
+            # The entitlement is being updated.
+            UPDATING = 5
+          end
+        end
+
+        # AccessControlEntry is used to control who can do some operation.
+        # @!attribute [rw] principals
+        #   @return [::Array<::String>]
+        #     Optional. Users who are allowed for the operation. Each entry should be a
+        #     valid v1 IAM principal identifier. The format for these is documented at:
+        #     https://cloud.google.com/iam/docs/principal-identifiers#v1
+        class AccessControlEntry
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Different types of approval workflows that can be used to gate privileged
+        # access granting.
+        # @!attribute [rw] manual_approvals
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::ManualApprovals]
+        #     An approval workflow where users designated as approvers review and act
+        #     on the grants.
+        class ApprovalWorkflow
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # A manual approval workflow where users who are designated as approvers
+        # need to call the `ApproveGrant`/`DenyGrant` APIs for a grant. The workflow
+        # can consist of multiple serial steps where each step defines who can act as
+        # approver in that step and how many of those users should approve before the
+        # workflow moves to the next step.
+        #
+        # This can be used to create approval workflows such as:
+        #
+        # * Require an approval from any user in a group G.
+        # * Require an approval from any k number of users from a Group G.
+        # * Require an approval from any user in a group G and then from a user U.
+        #
+        # A single user might be part of the `approvers` ACL for multiple steps in this
+        # workflow, but they can only approve once and that approval is only considered
+        # to satisfy the approval step at which it was granted.
+        # @!attribute [rw] require_approver_justification
+        #   @return [::Boolean]
+        #     Optional. Do the approvers need to provide a justification for their
+        #     actions?
+        # @!attribute [rw] steps
+        #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::ManualApprovals::Step>]
+        #     Optional. List of approval steps in this workflow. These steps are followed
+        #     in the specified order sequentially. Only 1 step is supported.
+        class ManualApprovals
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # Step represents a logical step in a manual approval workflow.
+          # @!attribute [rw] approvers
+          #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::AccessControlEntry>]
+          #     Optional. The potential set of approvers in this step. This list must
+          #     contain at most one entry.
+          # @!attribute [rw] approvals_needed
+          #   @return [::Integer]
+          #     Required. How many users from the above list need to approve. If there
+          #     aren't enough distinct users in the list, then the workflow indefinitely
+          #     blocks. Should always be greater than 0. 1 is the only supported value.
+          # @!attribute [rw] approver_email_recipients
+          #   @return [::Array<::String>]
+          #     Optional. Additional email addresses to be notified when a grant is
+          #     pending approval.
+          class Step
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+        end
+
+        # Privileged access that this service can be used to gate.
+        # @!attribute [rw] gcp_iam_access
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess::GcpIamAccess]
+        #     Access to a Google Cloud resource through IAM.
+        class PrivilegedAccess
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # GcpIamAccess represents IAM based access control on a Google Cloud
+          # resource. Refer to https://cloud.google.com/iam/docs to understand more
+          # about IAM.
+          # @!attribute [rw] resource_type
+          #   @return [::String]
+          #     Required. The type of this resource.
+          # @!attribute [rw] resource
+          #   @return [::String]
+          #     Required. Name of the resource.
+          # @!attribute [rw] role_bindings
+          #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess::GcpIamAccess::RoleBinding>]
+          #     Required. Role bindings that are created on successful grant.
+          class GcpIamAccess
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # IAM Role bindings that are created after a successful grant.
+            # @!attribute [rw] role
+            #   @return [::String]
+            #     Required. IAM role to be granted.
+            #     https://cloud.google.com/iam/docs/roles-overview.
+            # @!attribute [rw] condition_expression
+            #   @return [::String]
+            #     Optional. The expression field of the IAM condition to be associated
+            #     with the role. If specified, a user with an active grant for this
+            #     entitlement is able to access the resource only if this condition
+            #     evaluates to true for their request.
+            #
+            #     This field uses the same CEL format as IAM and supports all attributes
+            #     that IAM supports, except tags.
+            #     https://cloud.google.com/iam/docs/conditions-overview#attributes.
+            class RoleBinding
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+            end
+          end
+        end
+
+        # Message for requesting list of entitlements.
+        # @!attribute [rw] parent
+        #   @return [::String]
+        #     Required. The parent which owns the entitlement resources.
+        # @!attribute [rw] page_size
+        #   @return [::Integer]
+        #     Optional. Requested page size. Server may return fewer items than
+        #     requested. If unspecified, the server picks an appropriate default.
+        # @!attribute [rw] page_token
+        #   @return [::String]
+        #     Optional. A token identifying a page of results the server should return.
+        # @!attribute [rw] filter
+        #   @return [::String]
+        #     Optional. Filtering results.
+        # @!attribute [rw] order_by
+        #   @return [::String]
+        #     Optional. Hint for how to order the results.
+        class ListEntitlementsRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Message for response to listing entitlements.
+        # @!attribute [rw] entitlements
+        #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Entitlement>]
+        #     The list of entitlements.
+        # @!attribute [rw] next_page_token
+        #   @return [::String]
+        #     A token identifying a page of results the server should return.
+        # @!attribute [rw] unreachable
+        #   @return [::Array<::String>]
+        #     Locations that could not be reached.
+        class ListEntitlementsResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Request message for `SearchEntitlements` method.
+        # @!attribute [rw] parent
+        #   @return [::String]
+        #     Required. The parent which owns the entitlement resources.
+        # @!attribute [rw] caller_access_type
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::SearchEntitlementsRequest::CallerAccessType]
+        #     Required. Only entitlements where the calling user has this access are
+        #     returned.
+        # @!attribute [rw] filter
+        #   @return [::String]
+        #     Optional. Only entitlements matching this filter are returned in the
+        #     response.
+        # @!attribute [rw] page_size
+        #   @return [::Integer]
+        #     Optional. Requested page size. The server may return fewer items than
+        #     requested. If unspecified, the server picks an appropriate default.
+        # @!attribute [rw] page_token
+        #   @return [::String]
+        #     Optional. A token identifying a page of results the server should return.
+        class SearchEntitlementsRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # Different types of access a user can have on the entitlement resource.
+          module CallerAccessType
+            # Unspecified access type.
+            CALLER_ACCESS_TYPE_UNSPECIFIED = 0
+
+            # The user has access to create grants using this entitlement.
+            GRANT_REQUESTER = 1
+
+            # The user has access to approve/deny grants created under this
+            # entitlement.
+            GRANT_APPROVER = 2
+          end
+        end
+
+        # Response message for `SearchEntitlements` method.
+        # @!attribute [rw] entitlements
+        #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Entitlement>]
+        #     The list of entitlements.
+        # @!attribute [rw] next_page_token
+        #   @return [::String]
+        #     A token identifying a page of results the server should return.
+        class SearchEntitlementsResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Message for getting an entitlement.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. Name of the resource.
+        class GetEntitlementRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Message for creating an entitlement.
+        # @!attribute [rw] parent
+        #   @return [::String]
+        #     Required. Name of the parent resource for the entitlement.
+        #     Possible formats:
+        #
+        #     * `organizations/{organization-number}/locations/{region}`
+        #     * `folders/{folder-number}/locations/{region}`
+        #     * `projects/{project-id|project-number}/locations/{region}`
+        # @!attribute [rw] entitlement_id
+        #   @return [::String]
+        #     Required. The ID to use for this entitlement. This becomes the last part of
+        #     the resource name.
+        #
+        #     This value should be 4-63 characters in length, and valid characters are
+        #     "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
+        #
+        #     This value should be unique among all other entitlements under the
+        #     specified `parent`.
+        # @!attribute [rw] entitlement
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement]
+        #     Required. The resource being created
+        # @!attribute [rw] request_id
+        #   @return [::String]
+        #     Optional. An optional request ID to identify requests. Specify a unique
+        #     request ID so that if you must retry your request, the server knows to
+        #     ignore the request if it has already been completed. The server guarantees
+        #     this for at least 60 minutes after the first request.
+        #
+        #     For example, consider a situation where you make an initial request and the
+        #     request times out. If you make the request again with the same request
+        #     ID, the server can check if original operation with the same request ID
+        #     was received, and if so, ignores the second request and returns the
+        #     previous operation's response. This prevents clients from accidentally
+        #     creating duplicate commitments.
+        #
+        #     The request ID must be a valid UUID with the exception that zero UUID is
+        #     not supported (00000000-0000-0000-0000-000000000000).
+        class CreateEntitlementRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Message for deleting an entitlement.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. Name of the resource.
+        # @!attribute [rw] request_id
+        #   @return [::String]
+        #     Optional. An optional request ID to identify requests. Specify a unique
+        #     request ID so that if you must retry your request, the server knows to
+        #     ignore the request if it has already been completed. The server guarantees
+        #     this for at least 60 minutes after the first request.
+        #
+        #     For example, consider a situation where you make an initial request and the
+        #     request times out. If you make the request again with the same request
+        #     ID, the server can check if original operation with the same request ID
+        #     was received, and if so, ignores the second request. This prevents
+        #     clients from accidentally creating duplicate commitments.
+        #
+        #     The request ID must be a valid UUID with the exception that zero UUID is
+        #     not supported (00000000-0000-0000-0000-000000000000).
+        # @!attribute [rw] force
+        #   @return [::Boolean]
+        #     Optional. If set to true, any child grant under this entitlement is also
+        #     deleted. (Otherwise, the request only works if the entitlement has no child
+        #     grant.)
+        class DeleteEntitlementRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Message for updating an entitlement.
+        # @!attribute [rw] entitlement
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement]
+        #     Required. The entitlement resource that is updated.
+        # @!attribute [rw] update_mask
+        #   @return [::Google::Protobuf::FieldMask]
+        #     Required. The list of fields to update. A field is overwritten if, and only
+        #     if, it is in the mask. Any immutable fields set in the mask are ignored by
+        #     the server. Repeated fields and map fields are only allowed in the last
+        #     position of a `paths` string and overwrite the existing values. Hence an
+        #     update to a repeated field or a map should contain the entire list of
+        #     values. The fields specified in the update_mask are relative to the
+        #     resource and not to the request.
+        #     (e.g. `MaxRequestDuration`; *not* `entitlement.MaxRequestDuration`)
+        #     A value of '*' for this field refers to full replacement of the resource.
+        class UpdateEntitlementRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # This is to ensure that the `Grants` and `ProducerGrants` proto are byte
+        # compatible.
+        # A grant represents a request from a user for obtaining the access specified
+        # in an entitlement they are eligible for.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Identifier. Name of this grant.
+        #     Possible formats:
+        #
+        #     * `organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}`
+        #     * `folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}`
+        #     * `projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}`
+        #
+        #     The last segment of this name (`{grant-id}`) is autogenerated.
+        # @!attribute [r] create_time
+        #   @return [::Google::Protobuf::Timestamp]
+        #     Output only. Create time stamp.
+        # @!attribute [r] update_time
+        #   @return [::Google::Protobuf::Timestamp]
+        #     Output only. Update time stamp.
+        # @!attribute [r] requester
+        #   @return [::String]
+        #     Output only. Username of the user who created this grant.
+        # @!attribute [rw] requested_duration
+        #   @return [::Google::Protobuf::Duration]
+        #     Required. The amount of time access is needed for. This value should be
+        #     less than the `max_request_duration` value of the entitlement.
+        # @!attribute [rw] justification
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Justification]
+        #     Optional. Justification of why this access is needed.
+        # @!attribute [r] state
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::State]
+        #     Output only. Current state of this grant.
+        # @!attribute [r] timeline
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline]
+        #     Output only. Timeline of this grant.
+        # @!attribute [r] privileged_access
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess]
+        #     Output only. The access that would be granted by this grant.
+        # @!attribute [r] audit_trail
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::AuditTrail]
+        #     Output only. Audit trail of access provided by this grant. If unspecified
+        #     then access was never granted.
+        # @!attribute [rw] additional_email_recipients
+        #   @return [::Array<::String>]
+        #     Optional. Additional email addresses to notify for all the actions
+        #     performed on the grant.
+        # @!attribute [r] externally_modified
+        #   @return [::Boolean]
+        #     Output only. Flag set by the PAM system to indicate that policy bindings
+        #     made by this grant have been modified from outside PAM.
+        #
+        #     After it is set, this flag remains set forever irrespective of the grant
+        #     state. A `true` value here indicates that PAM no longer has any certainty
+        #     on the access a user has because of this grant.
+        class Grant
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # Timeline of a grant describing what happened to it and when.
+          # @!attribute [r] events
+          #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
+          #     Output only. The events that have occurred on this grant. This list
+          #     contains entries in the same order as they occurred. The first entry is
+          #     always be of type `Requested` and there is always at least one entry in
+          #     this array.
+          class Timeline
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+
+            # A single operation on the grant.
+            # @!attribute [rw] requested
+            #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
+            #     The grant was requested.
+            # @!attribute [rw] approved
+            #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
+            #     The grant was approved.
+            # @!attribute [rw] denied
+            #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
+            #     The grant was denied.
+            # @!attribute [rw] revoked
+            #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
+            #     The grant was revoked.
+            # @!attribute [rw] scheduled
+            #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
+            #     The grant has been scheduled to give access.
+            # @!attribute [rw] activated
+            #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
+            #     The grant was successfully activated to give access.
+            # @!attribute [rw] activation_failed
+            #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
+            #     There was a non-retriable error while trying to give access.
+            # @!attribute [rw] expired
+            #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
+            #     The approval workflow did not complete in the necessary duration,
+            #     and so the grant is expired.
+            # @!attribute [rw] ended
+            #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
+            #     Access given by the grant ended automatically as the approved
+            #     duration was over.
+            # @!attribute [rw] externally_modified
+            #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
+            #     The policy bindings made by grant have been modified outside of PAM.
+            # @!attribute [r] event_time
+            #   @return [::Google::Protobuf::Timestamp]
+            #     Output only. The time (as recorded at server) when this event occurred.
+            class Event
+              include ::Google::Protobuf::MessageExts
+              extend ::Google::Protobuf::MessageExts::ClassMethods
+
+              # An event representing that a grant was requested.
+              # @!attribute [r] expire_time
+              #   @return [::Google::Protobuf::Timestamp]
+              #     Output only. The time at which this grant expires unless the approval
+              #     workflow completes. If omitted, then the request never expires.
+              class Requested
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+              end
+
+              # An event representing that the grant was approved.
+              # @!attribute [r] reason
+              #   @return [::String]
+              #     Output only. The reason provided by the approver for approving the
+              #     grant.
+              # @!attribute [r] actor
+              #   @return [::String]
+              #     Output only. Username of the user who approved the grant.
+              class Approved
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+              end
+
+              # An event representing that the grant was denied.
+              # @!attribute [r] reason
+              #   @return [::String]
+              #     Output only. The reason provided by the approver for denying the
+              #     grant.
+              # @!attribute [r] actor
+              #   @return [::String]
+              #     Output only. Username of the user who denied the grant.
+              class Denied
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+              end
+
+              # An event representing that the grant was revoked.
+              # @!attribute [r] reason
+              #   @return [::String]
+              #     Output only. The reason provided by the user for revoking the grant.
+              # @!attribute [r] actor
+              #   @return [::String]
+              #     Output only. Username of the user who revoked the grant.
+              class Revoked
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+              end
+
+              # An event representing that the grant has been scheduled to be
+              # activated later.
+              # @!attribute [r] scheduled_activation_time
+              #   @return [::Google::Protobuf::Timestamp]
+              #     Output only. The time at which the access is granted.
+              class Scheduled
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+              end
+
+              # An event representing that the grant was successfully
+              # activated.
+              class Activated
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+              end
+
+              # An event representing that the grant activation failed.
+              # @!attribute [r] error
+              #   @return [::Google::Rpc::Status]
+              #     Output only. The error that occurred while activating the grant.
+              class ActivationFailed
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+              end
+
+              # An event representing that the grant was expired.
+              class Expired
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+              end
+
+              # An event representing that the grant has ended.
+              class Ended
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+              end
+
+              # An event representing that the policy bindings made by this grant were
+              # modified externally.
+              class ExternallyModified
+                include ::Google::Protobuf::MessageExts
+                extend ::Google::Protobuf::MessageExts::ClassMethods
+              end
+            end
+          end
+
+          # Audit trail for the access provided by this grant.
+          # @!attribute [r] access_grant_time
+          #   @return [::Google::Protobuf::Timestamp]
+          #     Output only. The time at which access was given.
+          # @!attribute [r] access_remove_time
+          #   @return [::Google::Protobuf::Timestamp]
+          #     Output only. The time at which the system removed access. This could be
+          #     because of an automatic expiry or because of a revocation.
+          #
+          #     If unspecified, then access hasn't been removed yet.
+          class AuditTrail
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+
+          # Different states a grant can be in.
+          module State
+            # Unspecified state. This value is never returned by the server.
+            STATE_UNSPECIFIED = 0
+
+            # The entitlement had an approval workflow configured and this grant is
+            # waiting for the workflow to complete.
+            APPROVAL_AWAITED = 1
+
+            # The approval workflow completed with a denied result. No access is
+            # granted for this grant. This is a terminal state.
+            DENIED = 3
+
+            # The approval workflow completed successfully with an approved result or
+            # none was configured. Access is provided at an appropriate time.
+            SCHEDULED = 4
+
+            # Access is being given.
+            ACTIVATING = 5
+
+            # Access was successfully given and is currently active.
+            ACTIVE = 6
+
+            # The system could not give access due to a non-retriable error. This is a
+            # terminal state.
+            ACTIVATION_FAILED = 7
+
+            # Expired after waiting for the approval workflow to complete. This is a
+            # terminal state.
+            EXPIRED = 8
+
+            # Access is being revoked.
+            REVOKING = 9
+
+            # Access was revoked by a user. This is a terminal state.
+            REVOKED = 10
+
+            # System took back access as the requested duration was over. This is a
+            # terminal state.
+            ENDED = 11
+          end
+        end
+
+        # Justification represents a justification for requesting access.
+        # @!attribute [rw] unstructured_justification
+        #   @return [::String]
+        #     A free form textual justification. The system only ensures that this
+        #     is not empty. No other kind of validation is performed on the string.
+        class Justification
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Message for requesting list of grants.
+        # @!attribute [rw] parent
+        #   @return [::String]
+        #     Required. The parent resource which owns the grants.
+        # @!attribute [rw] page_size
+        #   @return [::Integer]
+        #     Optional. Requested page size. The server may return fewer items than
+        #     requested. If unspecified, the server picks an appropriate default.
+        # @!attribute [rw] page_token
+        #   @return [::String]
+        #     Optional. A token identifying a page of results the server should return.
+        # @!attribute [rw] filter
+        #   @return [::String]
+        #     Optional. Filtering results.
+        # @!attribute [rw] order_by
+        #   @return [::String]
+        #     Optional. Hint for how to order the results
+        class ListGrantsRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Message for response to listing grants.
+        # @!attribute [rw] grants
+        #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant>]
+        #     The list of grants.
+        # @!attribute [rw] next_page_token
+        #   @return [::String]
+        #     A token identifying a page of results the server should return.
+        # @!attribute [rw] unreachable
+        #   @return [::Array<::String>]
+        #     Locations that could not be reached.
+        class ListGrantsResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Request message for `SearchGrants` method.
+        # @!attribute [rw] parent
+        #   @return [::String]
+        #     Required. The parent which owns the grant resources.
+        # @!attribute [rw] caller_relationship
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::SearchGrantsRequest::CallerRelationshipType]
+        #     Required. Only grants which the caller is related to by this relationship
+        #     are returned in the response.
+        # @!attribute [rw] filter
+        #   @return [::String]
+        #     Optional. Only grants matching this filter are returned in the response.
+        # @!attribute [rw] page_size
+        #   @return [::Integer]
+        #     Optional. Requested page size. The server may return fewer items than
+        #     requested. If unspecified, server picks an appropriate default.
+        # @!attribute [rw] page_token
+        #   @return [::String]
+        #     Optional. A token identifying a page of results the server should return.
+        class SearchGrantsRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # Different types of relationships a user can have with a grant.
+          module CallerRelationshipType
+            # Unspecified caller relationship type.
+            CALLER_RELATIONSHIP_TYPE_UNSPECIFIED = 0
+
+            # The user created this grant by calling `CreateGrant` earlier.
+            HAD_CREATED = 1
+
+            # The user is an approver for the entitlement that this grant is parented
+            # under and can currently approve/deny it.
+            CAN_APPROVE = 2
+
+            # The caller had successfully approved/denied this grant earlier.
+            HAD_APPROVED = 3
+          end
+        end
+
+        # Response message for `SearchGrants` method.
+        # @!attribute [rw] grants
+        #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant>]
+        #     The list of grants.
+        # @!attribute [rw] next_page_token
+        #   @return [::String]
+        #     A token identifying a page of results the server should return.
+        class SearchGrantsResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Message for getting a grant.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. Name of the resource.
+        class GetGrantRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Request message for `ApproveGrant` method.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. Name of the grant resource which is being approved.
+        # @!attribute [rw] reason
+        #   @return [::String]
+        #     Optional. The reason for approving this grant. This is required if the
+        #     `require_approver_justification` field of the `ManualApprovals` workflow
+        #     used in this grant is true.
+        class ApproveGrantRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Request message for `DenyGrant` method.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. Name of the grant resource which is being denied.
+        # @!attribute [rw] reason
+        #   @return [::String]
+        #     Optional. The reason for denying this grant. This is required if
+        #     `require_approver_justification` field of the `ManualApprovals` workflow
+        #     used in this grant is true.
+        class DenyGrantRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Request message for `RevokeGrant` method.
+        # @!attribute [rw] name
+        #   @return [::String]
+        #     Required. Name of the grant resource which is being revoked.
+        # @!attribute [rw] reason
+        #   @return [::String]
+        #     Optional. The reason for revoking this grant.
+        class RevokeGrantRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Message for creating a grant
+        # @!attribute [rw] parent
+        #   @return [::String]
+        #     Required. Name of the parent entitlement for which this grant is being
+        #     requested.
+        # @!attribute [rw] grant
+        #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant]
+        #     Required. The resource being created.
+        # @!attribute [rw] request_id
+        #   @return [::String]
+        #     Optional. An optional request ID to identify requests. Specify a unique
+        #     request ID so that if you must retry your request, the server knows to
+        #     ignore the request if it has already been completed. The server guarantees
+        #     this for at least 60 minutes after the first request.
+        #
+        #     For example, consider a situation where you make an initial request and the
+        #     request times out. If you make the request again with the same request
+        #     ID, the server can check if original operation with the same request ID
+        #     was received, and if so, ignores the second request. This prevents
+        #     clients from accidentally creating duplicate commitments.
+        #
+        #     The request ID must be a valid UUID with the exception that zero UUID is
+        #     not supported (00000000-0000-0000-0000-000000000000).
+        class CreateGrantRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # Represents the metadata of the long-running operation.
+        # @!attribute [r] create_time
+        #   @return [::Google::Protobuf::Timestamp]
+        #     Output only. The time the operation was created.
+        # @!attribute [r] end_time
+        #   @return [::Google::Protobuf::Timestamp]
+        #     Output only. The time the operation finished running.
+        # @!attribute [r] target
+        #   @return [::String]
+        #     Output only. Server-defined resource path for the target of the operation.
+        # @!attribute [r] verb
+        #   @return [::String]
+        #     Output only. Name of the verb executed by the operation.
+        # @!attribute [r] status_message
+        #   @return [::String]
+        #     Output only. Human-readable status of the operation, if any.
+        # @!attribute [r] requested_cancellation
+        #   @return [::Boolean]
+        #     Output only. Identifies whether the user has requested cancellation
+        #     of the operation. Operations that have been cancelled successfully
+        #     have [Operation.error][] value with a
+        #     {::Google::Rpc::Status#code google.rpc.Status.code} of 1, corresponding to
+        #     `Code.CANCELLED`.
+        # @!attribute [r] api_version
+        #   @return [::String]
+        #     Output only. API version used to start the operation.
+        class OperationMetadata
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+      end
+    end
+  end
+end