google-cloud-privileged_access_manager-v1 0.a → 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (34) hide show
  1. checksums.yaml +4 -4
  2. data/.yardopts +12 -0
  3. data/AUTHENTICATION.md +122 -0
  4. data/README.md +144 -8
  5. data/lib/google/cloud/privileged_access_manager/v1/bindings_override.rb +134 -0
  6. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/client.rb +1895 -0
  7. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/credentials.rb +47 -0
  8. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/operations.rb +809 -0
  9. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/paths.rb +206 -0
  10. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/rest/client.rb +1777 -0
  11. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/rest/operations.rb +944 -0
  12. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/rest/service_stub.rb +1109 -0
  13. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/rest.rb +73 -0
  14. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager.rb +75 -0
  15. data/lib/google/cloud/privileged_access_manager/v1/rest.rb +38 -0
  16. data/lib/google/cloud/privileged_access_manager/v1/version.rb +7 -2
  17. data/lib/google/cloud/privileged_access_manager/v1.rb +45 -0
  18. data/lib/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager_pb.rb +108 -0
  19. data/lib/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager_services_pb.rb +121 -0
  20. data/lib/google-cloud-privileged_access_manager-v1.rb +21 -0
  21. data/proto_docs/README.md +4 -0
  22. data/proto_docs/google/api/client.rb +403 -0
  23. data/proto_docs/google/api/field_behavior.rb +85 -0
  24. data/proto_docs/google/api/launch_stage.rb +71 -0
  25. data/proto_docs/google/api/resource.rb +227 -0
  26. data/proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb +966 -0
  27. data/proto_docs/google/longrunning/operations.rb +164 -0
  28. data/proto_docs/google/protobuf/any.rb +145 -0
  29. data/proto_docs/google/protobuf/duration.rb +98 -0
  30. data/proto_docs/google/protobuf/empty.rb +34 -0
  31. data/proto_docs/google/protobuf/field_mask.rb +229 -0
  32. data/proto_docs/google/protobuf/timestamp.rb +127 -0
  33. data/proto_docs/google/rpc/status.rb +48 -0
  34. metadata +125 -10
@@ -0,0 +1,966 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Copyright 2024 Google LLC
4
+ #
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
8
+ #
9
+ # https://www.apache.org/licenses/LICENSE-2.0
10
+ #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+
17
+ # Auto-generated by gapic-generator-ruby. DO NOT EDIT!
18
+
19
+
20
+ module Google
21
+ module Cloud
22
+ module PrivilegedAccessManager
23
+ module V1
24
+ # Request message for `CheckOnboardingStatus` method.
25
+ # @!attribute [rw] parent
26
+ # @return [::String]
27
+ # Required. The resource for which the onboarding status should be checked.
28
+ # Should be in one of the following formats:
29
+ #
30
+ # * `projects/{project-number|project-id}/locations/{region}`
31
+ # * `folders/{folder-number}/locations/{region}`
32
+ # * `organizations/{organization-number}/locations/{region}`
33
+ class CheckOnboardingStatusRequest
34
+ include ::Google::Protobuf::MessageExts
35
+ extend ::Google::Protobuf::MessageExts::ClassMethods
36
+ end
37
+
38
+ # Response message for `CheckOnboardingStatus` method.
39
+ # @!attribute [rw] service_account
40
+ # @return [::String]
41
+ # The service account that PAM uses to act on this resource.
42
+ # @!attribute [rw] findings
43
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::CheckOnboardingStatusResponse::Finding>]
44
+ # List of issues that are preventing PAM from functioning for this resource
45
+ # and need to be fixed to complete onboarding. Some issues might not be
46
+ # detected or reported.
47
+ class CheckOnboardingStatusResponse
48
+ include ::Google::Protobuf::MessageExts
49
+ extend ::Google::Protobuf::MessageExts::ClassMethods
50
+
51
+ # Finding represents an issue which prevents PAM from functioning properly
52
+ # for this resource.
53
+ # @!attribute [rw] iam_access_denied
54
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::CheckOnboardingStatusResponse::Finding::IAMAccessDenied]
55
+ # PAM's service account is being denied access by Cloud IAM.
56
+ class Finding
57
+ include ::Google::Protobuf::MessageExts
58
+ extend ::Google::Protobuf::MessageExts::ClassMethods
59
+
60
+ # PAM's service account is being denied access by Cloud IAM.
61
+ # This can be fixed by granting a role that contains the missing
62
+ # permissions to the service account or exempting it from deny policies if
63
+ # they are blocking the access.
64
+ # @!attribute [rw] missing_permissions
65
+ # @return [::Array<::String>]
66
+ # List of permissions that are being denied.
67
+ class IAMAccessDenied
68
+ include ::Google::Protobuf::MessageExts
69
+ extend ::Google::Protobuf::MessageExts::ClassMethods
70
+ end
71
+ end
72
+ end
73
+
74
+ # An entitlement defines the eligibility of a set of users to obtain
75
+ # predefined access for some time possibly after going through an approval
76
+ # workflow.
77
+ # @!attribute [rw] name
78
+ # @return [::String]
79
+ # Identifier. Name of the entitlement.
80
+ # Possible formats:
81
+ #
82
+ # * `organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}`
83
+ # * `folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}`
84
+ # * `projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}`
85
+ # @!attribute [r] create_time
86
+ # @return [::Google::Protobuf::Timestamp]
87
+ # Output only. Create time stamp.
88
+ # @!attribute [r] update_time
89
+ # @return [::Google::Protobuf::Timestamp]
90
+ # Output only. Update time stamp.
91
+ # @!attribute [rw] eligible_users
92
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::AccessControlEntry>]
93
+ # Optional. Who can create grants using this entitlement. This list should
94
+ # contain at most one entry.
95
+ # @!attribute [rw] approval_workflow
96
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::ApprovalWorkflow]
97
+ # Optional. The approvals needed before access are granted to a requester. No
98
+ # approvals are needed if this field is null.
99
+ # @!attribute [rw] privileged_access
100
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess]
101
+ # The access granted to a requester on successful approval.
102
+ # @!attribute [rw] max_request_duration
103
+ # @return [::Google::Protobuf::Duration]
104
+ # Required. The maximum amount of time that access is granted for a request.
105
+ # A requester can ask for a duration less than this, but never more.
106
+ # @!attribute [r] state
107
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::State]
108
+ # Output only. Current state of this entitlement.
109
+ # @!attribute [rw] requester_justification_config
110
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::RequesterJustificationConfig]
111
+ # Required. The manner in which the requester should provide a justification
112
+ # for requesting access.
113
+ # @!attribute [rw] additional_notification_targets
114
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::AdditionalNotificationTargets]
115
+ # Optional. Additional email addresses to be notified based on actions taken.
116
+ # @!attribute [rw] etag
117
+ # @return [::String]
118
+ # An `etag` is used for optimistic concurrency control as a way to prevent
119
+ # simultaneous updates to the same entitlement. An `etag` is returned in the
120
+ # response to `GetEntitlement` and the caller should put the `etag` in the
121
+ # request to `UpdateEntitlement` so that their change is applied on
122
+ # the same version. If this field is omitted or if there is a mismatch while
123
+ # updating an entitlement, then the server rejects the request.
124
+ class Entitlement
125
+ include ::Google::Protobuf::MessageExts
126
+ extend ::Google::Protobuf::MessageExts::ClassMethods
127
+
128
+ # Defines how a requester must provide a justification when requesting
129
+ # access.
130
+ # @!attribute [rw] not_mandatory
131
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::RequesterJustificationConfig::NotMandatory]
132
+ # This option means the requester isn't required to provide a
133
+ # justification.
134
+ # @!attribute [rw] unstructured
135
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::RequesterJustificationConfig::Unstructured]
136
+ # This option means the requester must provide a string as
137
+ # justification. If this is selected, the server allows the requester
138
+ # to provide a justification but doesn't validate it.
139
+ class RequesterJustificationConfig
140
+ include ::Google::Protobuf::MessageExts
141
+ extend ::Google::Protobuf::MessageExts::ClassMethods
142
+
143
+ # The justification is not mandatory but can be provided in any of the
144
+ # supported formats.
145
+ class NotMandatory
146
+ include ::Google::Protobuf::MessageExts
147
+ extend ::Google::Protobuf::MessageExts::ClassMethods
148
+ end
149
+
150
+ # The requester has to provide a justification in the form of a string.
151
+ class Unstructured
152
+ include ::Google::Protobuf::MessageExts
153
+ extend ::Google::Protobuf::MessageExts::ClassMethods
154
+ end
155
+ end
156
+
157
+ # AdditionalNotificationTargets includes email addresses to be notified.
158
+ # @!attribute [rw] admin_email_recipients
159
+ # @return [::Array<::String>]
160
+ # Optional. Additional email addresses to be notified when a principal
161
+ # (requester) is granted access.
162
+ # @!attribute [rw] requester_email_recipients
163
+ # @return [::Array<::String>]
164
+ # Optional. Additional email address to be notified about an eligible
165
+ # entitlement.
166
+ class AdditionalNotificationTargets
167
+ include ::Google::Protobuf::MessageExts
168
+ extend ::Google::Protobuf::MessageExts::ClassMethods
169
+ end
170
+
171
+ # Different states an entitlement can be in.
172
+ module State
173
+ # Unspecified state. This value is never returned by the server.
174
+ STATE_UNSPECIFIED = 0
175
+
176
+ # The entitlement is being created.
177
+ CREATING = 1
178
+
179
+ # The entitlement is available for requesting access.
180
+ AVAILABLE = 2
181
+
182
+ # The entitlement is being deleted.
183
+ DELETING = 3
184
+
185
+ # The entitlement has been deleted.
186
+ DELETED = 4
187
+
188
+ # The entitlement is being updated.
189
+ UPDATING = 5
190
+ end
191
+ end
192
+
193
+ # AccessControlEntry is used to control who can do some operation.
194
+ # @!attribute [rw] principals
195
+ # @return [::Array<::String>]
196
+ # Optional. Users who are allowed for the operation. Each entry should be a
197
+ # valid v1 IAM principal identifier. The format for these is documented at:
198
+ # https://cloud.google.com/iam/docs/principal-identifiers#v1
199
+ class AccessControlEntry
200
+ include ::Google::Protobuf::MessageExts
201
+ extend ::Google::Protobuf::MessageExts::ClassMethods
202
+ end
203
+
204
+ # Different types of approval workflows that can be used to gate privileged
205
+ # access granting.
206
+ # @!attribute [rw] manual_approvals
207
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::ManualApprovals]
208
+ # An approval workflow where users designated as approvers review and act
209
+ # on the grants.
210
+ class ApprovalWorkflow
211
+ include ::Google::Protobuf::MessageExts
212
+ extend ::Google::Protobuf::MessageExts::ClassMethods
213
+ end
214
+
215
+ # A manual approval workflow where users who are designated as approvers
216
+ # need to call the `ApproveGrant`/`DenyGrant` APIs for a grant. The workflow
217
+ # can consist of multiple serial steps where each step defines who can act as
218
+ # approver in that step and how many of those users should approve before the
219
+ # workflow moves to the next step.
220
+ #
221
+ # This can be used to create approval workflows such as:
222
+ #
223
+ # * Require an approval from any user in a group G.
224
+ # * Require an approval from any k number of users from a Group G.
225
+ # * Require an approval from any user in a group G and then from a user U.
226
+ #
227
+ # A single user might be part of the `approvers` ACL for multiple steps in this
228
+ # workflow, but they can only approve once and that approval is only considered
229
+ # to satisfy the approval step at which it was granted.
230
+ # @!attribute [rw] require_approver_justification
231
+ # @return [::Boolean]
232
+ # Optional. Do the approvers need to provide a justification for their
233
+ # actions?
234
+ # @!attribute [rw] steps
235
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::ManualApprovals::Step>]
236
+ # Optional. List of approval steps in this workflow. These steps are followed
237
+ # in the specified order sequentially. Only 1 step is supported.
238
+ class ManualApprovals
239
+ include ::Google::Protobuf::MessageExts
240
+ extend ::Google::Protobuf::MessageExts::ClassMethods
241
+
242
+ # Step represents a logical step in a manual approval workflow.
243
+ # @!attribute [rw] approvers
244
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::AccessControlEntry>]
245
+ # Optional. The potential set of approvers in this step. This list must
246
+ # contain at most one entry.
247
+ # @!attribute [rw] approvals_needed
248
+ # @return [::Integer]
249
+ # Required. How many users from the above list need to approve. If there
250
+ # aren't enough distinct users in the list, then the workflow indefinitely
251
+ # blocks. Should always be greater than 0. 1 is the only supported value.
252
+ # @!attribute [rw] approver_email_recipients
253
+ # @return [::Array<::String>]
254
+ # Optional. Additional email addresses to be notified when a grant is
255
+ # pending approval.
256
+ class Step
257
+ include ::Google::Protobuf::MessageExts
258
+ extend ::Google::Protobuf::MessageExts::ClassMethods
259
+ end
260
+ end
261
+
262
+ # Privileged access that this service can be used to gate.
263
+ # @!attribute [rw] gcp_iam_access
264
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess::GcpIamAccess]
265
+ # Access to a Google Cloud resource through IAM.
266
+ class PrivilegedAccess
267
+ include ::Google::Protobuf::MessageExts
268
+ extend ::Google::Protobuf::MessageExts::ClassMethods
269
+
270
+ # GcpIamAccess represents IAM based access control on a Google Cloud
271
+ # resource. Refer to https://cloud.google.com/iam/docs to understand more
272
+ # about IAM.
273
+ # @!attribute [rw] resource_type
274
+ # @return [::String]
275
+ # Required. The type of this resource.
276
+ # @!attribute [rw] resource
277
+ # @return [::String]
278
+ # Required. Name of the resource.
279
+ # @!attribute [rw] role_bindings
280
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess::GcpIamAccess::RoleBinding>]
281
+ # Required. Role bindings that are created on successful grant.
282
+ class GcpIamAccess
283
+ include ::Google::Protobuf::MessageExts
284
+ extend ::Google::Protobuf::MessageExts::ClassMethods
285
+
286
+ # IAM Role bindings that are created after a successful grant.
287
+ # @!attribute [rw] role
288
+ # @return [::String]
289
+ # Required. IAM role to be granted.
290
+ # https://cloud.google.com/iam/docs/roles-overview.
291
+ # @!attribute [rw] condition_expression
292
+ # @return [::String]
293
+ # Optional. The expression field of the IAM condition to be associated
294
+ # with the role. If specified, a user with an active grant for this
295
+ # entitlement is able to access the resource only if this condition
296
+ # evaluates to true for their request.
297
+ #
298
+ # This field uses the same CEL format as IAM and supports all attributes
299
+ # that IAM supports, except tags.
300
+ # https://cloud.google.com/iam/docs/conditions-overview#attributes.
301
+ class RoleBinding
302
+ include ::Google::Protobuf::MessageExts
303
+ extend ::Google::Protobuf::MessageExts::ClassMethods
304
+ end
305
+ end
306
+ end
307
+
308
+ # Message for requesting list of entitlements.
309
+ # @!attribute [rw] parent
310
+ # @return [::String]
311
+ # Required. The parent which owns the entitlement resources.
312
+ # @!attribute [rw] page_size
313
+ # @return [::Integer]
314
+ # Optional. Requested page size. Server may return fewer items than
315
+ # requested. If unspecified, the server picks an appropriate default.
316
+ # @!attribute [rw] page_token
317
+ # @return [::String]
318
+ # Optional. A token identifying a page of results the server should return.
319
+ # @!attribute [rw] filter
320
+ # @return [::String]
321
+ # Optional. Filtering results.
322
+ # @!attribute [rw] order_by
323
+ # @return [::String]
324
+ # Optional. Hint for how to order the results.
325
+ class ListEntitlementsRequest
326
+ include ::Google::Protobuf::MessageExts
327
+ extend ::Google::Protobuf::MessageExts::ClassMethods
328
+ end
329
+
330
+ # Message for response to listing entitlements.
331
+ # @!attribute [rw] entitlements
332
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Entitlement>]
333
+ # The list of entitlements.
334
+ # @!attribute [rw] next_page_token
335
+ # @return [::String]
336
+ # A token identifying a page of results the server should return.
337
+ # @!attribute [rw] unreachable
338
+ # @return [::Array<::String>]
339
+ # Locations that could not be reached.
340
+ class ListEntitlementsResponse
341
+ include ::Google::Protobuf::MessageExts
342
+ extend ::Google::Protobuf::MessageExts::ClassMethods
343
+ end
344
+
345
+ # Request message for `SearchEntitlements` method.
346
+ # @!attribute [rw] parent
347
+ # @return [::String]
348
+ # Required. The parent which owns the entitlement resources.
349
+ # @!attribute [rw] caller_access_type
350
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::SearchEntitlementsRequest::CallerAccessType]
351
+ # Required. Only entitlements where the calling user has this access are
352
+ # returned.
353
+ # @!attribute [rw] filter
354
+ # @return [::String]
355
+ # Optional. Only entitlements matching this filter are returned in the
356
+ # response.
357
+ # @!attribute [rw] page_size
358
+ # @return [::Integer]
359
+ # Optional. Requested page size. The server may return fewer items than
360
+ # requested. If unspecified, the server picks an appropriate default.
361
+ # @!attribute [rw] page_token
362
+ # @return [::String]
363
+ # Optional. A token identifying a page of results the server should return.
364
+ class SearchEntitlementsRequest
365
+ include ::Google::Protobuf::MessageExts
366
+ extend ::Google::Protobuf::MessageExts::ClassMethods
367
+
368
+ # Different types of access a user can have on the entitlement resource.
369
+ module CallerAccessType
370
+ # Unspecified access type.
371
+ CALLER_ACCESS_TYPE_UNSPECIFIED = 0
372
+
373
+ # The user has access to create grants using this entitlement.
374
+ GRANT_REQUESTER = 1
375
+
376
+ # The user has access to approve/deny grants created under this
377
+ # entitlement.
378
+ GRANT_APPROVER = 2
379
+ end
380
+ end
381
+
382
+ # Response message for `SearchEntitlements` method.
383
+ # @!attribute [rw] entitlements
384
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Entitlement>]
385
+ # The list of entitlements.
386
+ # @!attribute [rw] next_page_token
387
+ # @return [::String]
388
+ # A token identifying a page of results the server should return.
389
+ class SearchEntitlementsResponse
390
+ include ::Google::Protobuf::MessageExts
391
+ extend ::Google::Protobuf::MessageExts::ClassMethods
392
+ end
393
+
394
+ # Message for getting an entitlement.
395
+ # @!attribute [rw] name
396
+ # @return [::String]
397
+ # Required. Name of the resource.
398
+ class GetEntitlementRequest
399
+ include ::Google::Protobuf::MessageExts
400
+ extend ::Google::Protobuf::MessageExts::ClassMethods
401
+ end
402
+
403
+ # Message for creating an entitlement.
404
+ # @!attribute [rw] parent
405
+ # @return [::String]
406
+ # Required. Name of the parent resource for the entitlement.
407
+ # Possible formats:
408
+ #
409
+ # * `organizations/{organization-number}/locations/{region}`
410
+ # * `folders/{folder-number}/locations/{region}`
411
+ # * `projects/{project-id|project-number}/locations/{region}`
412
+ # @!attribute [rw] entitlement_id
413
+ # @return [::String]
414
+ # Required. The ID to use for this entitlement. This becomes the last part of
415
+ # the resource name.
416
+ #
417
+ # This value should be 4-63 characters in length, and valid characters are
418
+ # "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
419
+ #
420
+ # This value should be unique among all other entitlements under the
421
+ # specified `parent`.
422
+ # @!attribute [rw] entitlement
423
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement]
424
+ # Required. The resource being created
425
+ # @!attribute [rw] request_id
426
+ # @return [::String]
427
+ # Optional. An optional request ID to identify requests. Specify a unique
428
+ # request ID so that if you must retry your request, the server knows to
429
+ # ignore the request if it has already been completed. The server guarantees
430
+ # this for at least 60 minutes after the first request.
431
+ #
432
+ # For example, consider a situation where you make an initial request and the
433
+ # request times out. If you make the request again with the same request
434
+ # ID, the server can check if original operation with the same request ID
435
+ # was received, and if so, ignores the second request and returns the
436
+ # previous operation's response. This prevents clients from accidentally
437
+ # creating duplicate commitments.
438
+ #
439
+ # The request ID must be a valid UUID with the exception that zero UUID is
440
+ # not supported (00000000-0000-0000-0000-000000000000).
441
+ class CreateEntitlementRequest
442
+ include ::Google::Protobuf::MessageExts
443
+ extend ::Google::Protobuf::MessageExts::ClassMethods
444
+ end
445
+
446
+ # Message for deleting an entitlement.
447
+ # @!attribute [rw] name
448
+ # @return [::String]
449
+ # Required. Name of the resource.
450
+ # @!attribute [rw] request_id
451
+ # @return [::String]
452
+ # Optional. An optional request ID to identify requests. Specify a unique
453
+ # request ID so that if you must retry your request, the server knows to
454
+ # ignore the request if it has already been completed. The server guarantees
455
+ # this for at least 60 minutes after the first request.
456
+ #
457
+ # For example, consider a situation where you make an initial request and the
458
+ # request times out. If you make the request again with the same request
459
+ # ID, the server can check if original operation with the same request ID
460
+ # was received, and if so, ignores the second request. This prevents
461
+ # clients from accidentally creating duplicate commitments.
462
+ #
463
+ # The request ID must be a valid UUID with the exception that zero UUID is
464
+ # not supported (00000000-0000-0000-0000-000000000000).
465
+ # @!attribute [rw] force
466
+ # @return [::Boolean]
467
+ # Optional. If set to true, any child grant under this entitlement is also
468
+ # deleted. (Otherwise, the request only works if the entitlement has no child
469
+ # grant.)
470
+ class DeleteEntitlementRequest
471
+ include ::Google::Protobuf::MessageExts
472
+ extend ::Google::Protobuf::MessageExts::ClassMethods
473
+ end
474
+
475
+ # Message for updating an entitlement.
476
+ # @!attribute [rw] entitlement
477
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement]
478
+ # Required. The entitlement resource that is updated.
479
+ # @!attribute [rw] update_mask
480
+ # @return [::Google::Protobuf::FieldMask]
481
+ # Required. The list of fields to update. A field is overwritten if, and only
482
+ # if, it is in the mask. Any immutable fields set in the mask are ignored by
483
+ # the server. Repeated fields and map fields are only allowed in the last
484
+ # position of a `paths` string and overwrite the existing values. Hence an
485
+ # update to a repeated field or a map should contain the entire list of
486
+ # values. The fields specified in the update_mask are relative to the
487
+ # resource and not to the request.
488
+ # (e.g. `MaxRequestDuration`; *not* `entitlement.MaxRequestDuration`)
489
+ # A value of '*' for this field refers to full replacement of the resource.
490
+ class UpdateEntitlementRequest
491
+ include ::Google::Protobuf::MessageExts
492
+ extend ::Google::Protobuf::MessageExts::ClassMethods
493
+ end
494
+
495
+ # This is to ensure that the `Grants` and `ProducerGrants` proto are byte
496
+ # compatible.
497
+ # A grant represents a request from a user for obtaining the access specified
498
+ # in an entitlement they are eligible for.
499
+ # @!attribute [rw] name
500
+ # @return [::String]
501
+ # Identifier. Name of this grant.
502
+ # Possible formats:
503
+ #
504
+ # * `organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}`
505
+ # * `folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}`
506
+ # * `projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}`
507
+ #
508
+ # The last segment of this name (`{grant-id}`) is autogenerated.
509
+ # @!attribute [r] create_time
510
+ # @return [::Google::Protobuf::Timestamp]
511
+ # Output only. Create time stamp.
512
+ # @!attribute [r] update_time
513
+ # @return [::Google::Protobuf::Timestamp]
514
+ # Output only. Update time stamp.
515
+ # @!attribute [r] requester
516
+ # @return [::String]
517
+ # Output only. Username of the user who created this grant.
518
+ # @!attribute [rw] requested_duration
519
+ # @return [::Google::Protobuf::Duration]
520
+ # Required. The amount of time access is needed for. This value should be
521
+ # less than the `max_request_duration` value of the entitlement.
522
+ # @!attribute [rw] justification
523
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Justification]
524
+ # Optional. Justification of why this access is needed.
525
+ # @!attribute [r] state
526
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::State]
527
+ # Output only. Current state of this grant.
528
+ # @!attribute [r] timeline
529
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline]
530
+ # Output only. Timeline of this grant.
531
+ # @!attribute [r] privileged_access
532
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess]
533
+ # Output only. The access that would be granted by this grant.
534
+ # @!attribute [r] audit_trail
535
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::AuditTrail]
536
+ # Output only. Audit trail of access provided by this grant. If unspecified
537
+ # then access was never granted.
538
+ # @!attribute [rw] additional_email_recipients
539
+ # @return [::Array<::String>]
540
+ # Optional. Additional email addresses to notify for all the actions
541
+ # performed on the grant.
542
+ # @!attribute [r] externally_modified
543
+ # @return [::Boolean]
544
+ # Output only. Flag set by the PAM system to indicate that policy bindings
545
+ # made by this grant have been modified from outside PAM.
546
+ #
547
+ # After it is set, this flag remains set forever irrespective of the grant
548
+ # state. A `true` value here indicates that PAM no longer has any certainty
549
+ # on the access a user has because of this grant.
550
+ class Grant
551
+ include ::Google::Protobuf::MessageExts
552
+ extend ::Google::Protobuf::MessageExts::ClassMethods
553
+
554
+ # Timeline of a grant describing what happened to it and when.
555
+ # @!attribute [r] events
556
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
557
+ # Output only. The events that have occurred on this grant. This list
558
+ # contains entries in the same order as they occurred. The first entry is
559
+ # always be of type `Requested` and there is always at least one entry in
560
+ # this array.
561
+ class Timeline
562
+ include ::Google::Protobuf::MessageExts
563
+ extend ::Google::Protobuf::MessageExts::ClassMethods
564
+
565
+ # A single operation on the grant.
566
+ # @!attribute [rw] requested
567
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
568
+ # The grant was requested.
569
+ # @!attribute [rw] approved
570
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
571
+ # The grant was approved.
572
+ # @!attribute [rw] denied
573
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
574
+ # The grant was denied.
575
+ # @!attribute [rw] revoked
576
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
577
+ # The grant was revoked.
578
+ # @!attribute [rw] scheduled
579
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
580
+ # The grant has been scheduled to give access.
581
+ # @!attribute [rw] activated
582
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
583
+ # The grant was successfully activated to give access.
584
+ # @!attribute [rw] activation_failed
585
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
586
+ # There was a non-retriable error while trying to give access.
587
+ # @!attribute [rw] expired
588
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
589
+ # The approval workflow did not complete in the necessary duration,
590
+ # and so the grant is expired.
591
+ # @!attribute [rw] ended
592
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
593
+ # Access given by the grant ended automatically as the approved
594
+ # duration was over.
595
+ # @!attribute [rw] externally_modified
596
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
597
+ # The policy bindings made by grant have been modified outside of PAM.
598
+ # @!attribute [r] event_time
599
+ # @return [::Google::Protobuf::Timestamp]
600
+ # Output only. The time (as recorded at server) when this event occurred.
601
+ class Event
602
+ include ::Google::Protobuf::MessageExts
603
+ extend ::Google::Protobuf::MessageExts::ClassMethods
604
+
605
+ # An event representing that a grant was requested.
606
+ # @!attribute [r] expire_time
607
+ # @return [::Google::Protobuf::Timestamp]
608
+ # Output only. The time at which this grant expires unless the approval
609
+ # workflow completes. If omitted, then the request never expires.
610
+ class Requested
611
+ include ::Google::Protobuf::MessageExts
612
+ extend ::Google::Protobuf::MessageExts::ClassMethods
613
+ end
614
+
615
+ # An event representing that the grant was approved.
616
+ # @!attribute [r] reason
617
+ # @return [::String]
618
+ # Output only. The reason provided by the approver for approving the
619
+ # grant.
620
+ # @!attribute [r] actor
621
+ # @return [::String]
622
+ # Output only. Username of the user who approved the grant.
623
+ class Approved
624
+ include ::Google::Protobuf::MessageExts
625
+ extend ::Google::Protobuf::MessageExts::ClassMethods
626
+ end
627
+
628
+ # An event representing that the grant was denied.
629
+ # @!attribute [r] reason
630
+ # @return [::String]
631
+ # Output only. The reason provided by the approver for denying the
632
+ # grant.
633
+ # @!attribute [r] actor
634
+ # @return [::String]
635
+ # Output only. Username of the user who denied the grant.
636
+ class Denied
637
+ include ::Google::Protobuf::MessageExts
638
+ extend ::Google::Protobuf::MessageExts::ClassMethods
639
+ end
640
+
641
+ # An event representing that the grant was revoked.
642
+ # @!attribute [r] reason
643
+ # @return [::String]
644
+ # Output only. The reason provided by the user for revoking the grant.
645
+ # @!attribute [r] actor
646
+ # @return [::String]
647
+ # Output only. Username of the user who revoked the grant.
648
+ class Revoked
649
+ include ::Google::Protobuf::MessageExts
650
+ extend ::Google::Protobuf::MessageExts::ClassMethods
651
+ end
652
+
653
+ # An event representing that the grant has been scheduled to be
654
+ # activated later.
655
+ # @!attribute [r] scheduled_activation_time
656
+ # @return [::Google::Protobuf::Timestamp]
657
+ # Output only. The time at which the access is granted.
658
+ class Scheduled
659
+ include ::Google::Protobuf::MessageExts
660
+ extend ::Google::Protobuf::MessageExts::ClassMethods
661
+ end
662
+
663
+ # An event representing that the grant was successfully
664
+ # activated.
665
+ class Activated
666
+ include ::Google::Protobuf::MessageExts
667
+ extend ::Google::Protobuf::MessageExts::ClassMethods
668
+ end
669
+
670
+ # An event representing that the grant activation failed.
671
+ # @!attribute [r] error
672
+ # @return [::Google::Rpc::Status]
673
+ # Output only. The error that occurred while activating the grant.
674
+ class ActivationFailed
675
+ include ::Google::Protobuf::MessageExts
676
+ extend ::Google::Protobuf::MessageExts::ClassMethods
677
+ end
678
+
679
+ # An event representing that the grant was expired.
680
+ class Expired
681
+ include ::Google::Protobuf::MessageExts
682
+ extend ::Google::Protobuf::MessageExts::ClassMethods
683
+ end
684
+
685
+ # An event representing that the grant has ended.
686
+ class Ended
687
+ include ::Google::Protobuf::MessageExts
688
+ extend ::Google::Protobuf::MessageExts::ClassMethods
689
+ end
690
+
691
+ # An event representing that the policy bindings made by this grant were
692
+ # modified externally.
693
+ class ExternallyModified
694
+ include ::Google::Protobuf::MessageExts
695
+ extend ::Google::Protobuf::MessageExts::ClassMethods
696
+ end
697
+ end
698
+ end
699
+
700
+ # Audit trail for the access provided by this grant.
701
+ # @!attribute [r] access_grant_time
702
+ # @return [::Google::Protobuf::Timestamp]
703
+ # Output only. The time at which access was given.
704
+ # @!attribute [r] access_remove_time
705
+ # @return [::Google::Protobuf::Timestamp]
706
+ # Output only. The time at which the system removed access. This could be
707
+ # because of an automatic expiry or because of a revocation.
708
+ #
709
+ # If unspecified, then access hasn't been removed yet.
710
+ class AuditTrail
711
+ include ::Google::Protobuf::MessageExts
712
+ extend ::Google::Protobuf::MessageExts::ClassMethods
713
+ end
714
+
715
+ # Different states a grant can be in.
716
+ module State
717
+ # Unspecified state. This value is never returned by the server.
718
+ STATE_UNSPECIFIED = 0
719
+
720
+ # The entitlement had an approval workflow configured and this grant is
721
+ # waiting for the workflow to complete.
722
+ APPROVAL_AWAITED = 1
723
+
724
+ # The approval workflow completed with a denied result. No access is
725
+ # granted for this grant. This is a terminal state.
726
+ DENIED = 3
727
+
728
+ # The approval workflow completed successfully with an approved result or
729
+ # none was configured. Access is provided at an appropriate time.
730
+ SCHEDULED = 4
731
+
732
+ # Access is being given.
733
+ ACTIVATING = 5
734
+
735
+ # Access was successfully given and is currently active.
736
+ ACTIVE = 6
737
+
738
+ # The system could not give access due to a non-retriable error. This is a
739
+ # terminal state.
740
+ ACTIVATION_FAILED = 7
741
+
742
+ # Expired after waiting for the approval workflow to complete. This is a
743
+ # terminal state.
744
+ EXPIRED = 8
745
+
746
+ # Access is being revoked.
747
+ REVOKING = 9
748
+
749
+ # Access was revoked by a user. This is a terminal state.
750
+ REVOKED = 10
751
+
752
+ # System took back access as the requested duration was over. This is a
753
+ # terminal state.
754
+ ENDED = 11
755
+ end
756
+ end
757
+
758
+ # Justification represents a justification for requesting access.
759
+ # @!attribute [rw] unstructured_justification
760
+ # @return [::String]
761
+ # A free form textual justification. The system only ensures that this
762
+ # is not empty. No other kind of validation is performed on the string.
763
+ class Justification
764
+ include ::Google::Protobuf::MessageExts
765
+ extend ::Google::Protobuf::MessageExts::ClassMethods
766
+ end
767
+
768
+ # Message for requesting list of grants.
769
+ # @!attribute [rw] parent
770
+ # @return [::String]
771
+ # Required. The parent resource which owns the grants.
772
+ # @!attribute [rw] page_size
773
+ # @return [::Integer]
774
+ # Optional. Requested page size. The server may return fewer items than
775
+ # requested. If unspecified, the server picks an appropriate default.
776
+ # @!attribute [rw] page_token
777
+ # @return [::String]
778
+ # Optional. A token identifying a page of results the server should return.
779
+ # @!attribute [rw] filter
780
+ # @return [::String]
781
+ # Optional. Filtering results.
782
+ # @!attribute [rw] order_by
783
+ # @return [::String]
784
+ # Optional. Hint for how to order the results
785
+ class ListGrantsRequest
786
+ include ::Google::Protobuf::MessageExts
787
+ extend ::Google::Protobuf::MessageExts::ClassMethods
788
+ end
789
+
790
+ # Message for response to listing grants.
791
+ # @!attribute [rw] grants
792
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant>]
793
+ # The list of grants.
794
+ # @!attribute [rw] next_page_token
795
+ # @return [::String]
796
+ # A token identifying a page of results the server should return.
797
+ # @!attribute [rw] unreachable
798
+ # @return [::Array<::String>]
799
+ # Locations that could not be reached.
800
+ class ListGrantsResponse
801
+ include ::Google::Protobuf::MessageExts
802
+ extend ::Google::Protobuf::MessageExts::ClassMethods
803
+ end
804
+
805
+ # Request message for `SearchGrants` method.
806
+ # @!attribute [rw] parent
807
+ # @return [::String]
808
+ # Required. The parent which owns the grant resources.
809
+ # @!attribute [rw] caller_relationship
810
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::SearchGrantsRequest::CallerRelationshipType]
811
+ # Required. Only grants which the caller is related to by this relationship
812
+ # are returned in the response.
813
+ # @!attribute [rw] filter
814
+ # @return [::String]
815
+ # Optional. Only grants matching this filter are returned in the response.
816
+ # @!attribute [rw] page_size
817
+ # @return [::Integer]
818
+ # Optional. Requested page size. The server may return fewer items than
819
+ # requested. If unspecified, server picks an appropriate default.
820
+ # @!attribute [rw] page_token
821
+ # @return [::String]
822
+ # Optional. A token identifying a page of results the server should return.
823
+ class SearchGrantsRequest
824
+ include ::Google::Protobuf::MessageExts
825
+ extend ::Google::Protobuf::MessageExts::ClassMethods
826
+
827
+ # Different types of relationships a user can have with a grant.
828
+ module CallerRelationshipType
829
+ # Unspecified caller relationship type.
830
+ CALLER_RELATIONSHIP_TYPE_UNSPECIFIED = 0
831
+
832
+ # The user created this grant by calling `CreateGrant` earlier.
833
+ HAD_CREATED = 1
834
+
835
+ # The user is an approver for the entitlement that this grant is parented
836
+ # under and can currently approve/deny it.
837
+ CAN_APPROVE = 2
838
+
839
+ # The caller had successfully approved/denied this grant earlier.
840
+ HAD_APPROVED = 3
841
+ end
842
+ end
843
+
844
+ # Response message for `SearchGrants` method.
845
+ # @!attribute [rw] grants
846
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant>]
847
+ # The list of grants.
848
+ # @!attribute [rw] next_page_token
849
+ # @return [::String]
850
+ # A token identifying a page of results the server should return.
851
+ class SearchGrantsResponse
852
+ include ::Google::Protobuf::MessageExts
853
+ extend ::Google::Protobuf::MessageExts::ClassMethods
854
+ end
855
+
856
+ # Message for getting a grant.
857
+ # @!attribute [rw] name
858
+ # @return [::String]
859
+ # Required. Name of the resource.
860
+ class GetGrantRequest
861
+ include ::Google::Protobuf::MessageExts
862
+ extend ::Google::Protobuf::MessageExts::ClassMethods
863
+ end
864
+
865
+ # Request message for `ApproveGrant` method.
866
+ # @!attribute [rw] name
867
+ # @return [::String]
868
+ # Required. Name of the grant resource which is being approved.
869
+ # @!attribute [rw] reason
870
+ # @return [::String]
871
+ # Optional. The reason for approving this grant. This is required if the
872
+ # `require_approver_justification` field of the `ManualApprovals` workflow
873
+ # used in this grant is true.
874
+ class ApproveGrantRequest
875
+ include ::Google::Protobuf::MessageExts
876
+ extend ::Google::Protobuf::MessageExts::ClassMethods
877
+ end
878
+
879
+ # Request message for `DenyGrant` method.
880
+ # @!attribute [rw] name
881
+ # @return [::String]
882
+ # Required. Name of the grant resource which is being denied.
883
+ # @!attribute [rw] reason
884
+ # @return [::String]
885
+ # Optional. The reason for denying this grant. This is required if
886
+ # `require_approver_justification` field of the `ManualApprovals` workflow
887
+ # used in this grant is true.
888
+ class DenyGrantRequest
889
+ include ::Google::Protobuf::MessageExts
890
+ extend ::Google::Protobuf::MessageExts::ClassMethods
891
+ end
892
+
893
+ # Request message for `RevokeGrant` method.
894
+ # @!attribute [rw] name
895
+ # @return [::String]
896
+ # Required. Name of the grant resource which is being revoked.
897
+ # @!attribute [rw] reason
898
+ # @return [::String]
899
+ # Optional. The reason for revoking this grant.
900
+ class RevokeGrantRequest
901
+ include ::Google::Protobuf::MessageExts
902
+ extend ::Google::Protobuf::MessageExts::ClassMethods
903
+ end
904
+
905
+ # Message for creating a grant
906
+ # @!attribute [rw] parent
907
+ # @return [::String]
908
+ # Required. Name of the parent entitlement for which this grant is being
909
+ # requested.
910
+ # @!attribute [rw] grant
911
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant]
912
+ # Required. The resource being created.
913
+ # @!attribute [rw] request_id
914
+ # @return [::String]
915
+ # Optional. An optional request ID to identify requests. Specify a unique
916
+ # request ID so that if you must retry your request, the server knows to
917
+ # ignore the request if it has already been completed. The server guarantees
918
+ # this for at least 60 minutes after the first request.
919
+ #
920
+ # For example, consider a situation where you make an initial request and the
921
+ # request times out. If you make the request again with the same request
922
+ # ID, the server can check if original operation with the same request ID
923
+ # was received, and if so, ignores the second request. This prevents
924
+ # clients from accidentally creating duplicate commitments.
925
+ #
926
+ # The request ID must be a valid UUID with the exception that zero UUID is
927
+ # not supported (00000000-0000-0000-0000-000000000000).
928
+ class CreateGrantRequest
929
+ include ::Google::Protobuf::MessageExts
930
+ extend ::Google::Protobuf::MessageExts::ClassMethods
931
+ end
932
+
933
+ # Represents the metadata of the long-running operation.
934
+ # @!attribute [r] create_time
935
+ # @return [::Google::Protobuf::Timestamp]
936
+ # Output only. The time the operation was created.
937
+ # @!attribute [r] end_time
938
+ # @return [::Google::Protobuf::Timestamp]
939
+ # Output only. The time the operation finished running.
940
+ # @!attribute [r] target
941
+ # @return [::String]
942
+ # Output only. Server-defined resource path for the target of the operation.
943
+ # @!attribute [r] verb
944
+ # @return [::String]
945
+ # Output only. Name of the verb executed by the operation.
946
+ # @!attribute [r] status_message
947
+ # @return [::String]
948
+ # Output only. Human-readable status of the operation, if any.
949
+ # @!attribute [r] requested_cancellation
950
+ # @return [::Boolean]
951
+ # Output only. Identifies whether the user has requested cancellation
952
+ # of the operation. Operations that have been cancelled successfully
953
+ # have [Operation.error][] value with a
954
+ # {::Google::Rpc::Status#code google.rpc.Status.code} of 1, corresponding to
955
+ # `Code.CANCELLED`.
956
+ # @!attribute [r] api_version
957
+ # @return [::String]
958
+ # Output only. API version used to start the operation.
959
+ class OperationMetadata
960
+ include ::Google::Protobuf::MessageExts
961
+ extend ::Google::Protobuf::MessageExts::ClassMethods
962
+ end
963
+ end
964
+ end
965
+ end
966
+ end