google-cloud-privileged_access_manager-v1 0.a → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. checksums.yaml +4 -4
  2. data/.yardopts +12 -0
  3. data/AUTHENTICATION.md +122 -0
  4. data/README.md +144 -8
  5. data/lib/google/cloud/privileged_access_manager/v1/bindings_override.rb +134 -0
  6. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/client.rb +1895 -0
  7. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/credentials.rb +47 -0
  8. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/operations.rb +809 -0
  9. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/paths.rb +206 -0
  10. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/rest/client.rb +1777 -0
  11. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/rest/operations.rb +944 -0
  12. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/rest/service_stub.rb +1109 -0
  13. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager/rest.rb +73 -0
  14. data/lib/google/cloud/privileged_access_manager/v1/privileged_access_manager.rb +75 -0
  15. data/lib/google/cloud/privileged_access_manager/v1/rest.rb +38 -0
  16. data/lib/google/cloud/privileged_access_manager/v1/version.rb +7 -2
  17. data/lib/google/cloud/privileged_access_manager/v1.rb +45 -0
  18. data/lib/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager_pb.rb +108 -0
  19. data/lib/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager_services_pb.rb +121 -0
  20. data/lib/google-cloud-privileged_access_manager-v1.rb +21 -0
  21. data/proto_docs/README.md +4 -0
  22. data/proto_docs/google/api/client.rb +403 -0
  23. data/proto_docs/google/api/field_behavior.rb +85 -0
  24. data/proto_docs/google/api/launch_stage.rb +71 -0
  25. data/proto_docs/google/api/resource.rb +227 -0
  26. data/proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb +966 -0
  27. data/proto_docs/google/longrunning/operations.rb +164 -0
  28. data/proto_docs/google/protobuf/any.rb +145 -0
  29. data/proto_docs/google/protobuf/duration.rb +98 -0
  30. data/proto_docs/google/protobuf/empty.rb +34 -0
  31. data/proto_docs/google/protobuf/field_mask.rb +229 -0
  32. data/proto_docs/google/protobuf/timestamp.rb +127 -0
  33. data/proto_docs/google/rpc/status.rb +48 -0
  34. metadata +125 -10
@@ -0,0 +1,966 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Copyright 2024 Google LLC
4
+ #
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
8
+ #
9
+ # https://www.apache.org/licenses/LICENSE-2.0
10
+ #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+
17
+ # Auto-generated by gapic-generator-ruby. DO NOT EDIT!
18
+
19
+
20
+ module Google
21
+ module Cloud
22
+ module PrivilegedAccessManager
23
+ module V1
24
+ # Request message for `CheckOnboardingStatus` method.
25
+ # @!attribute [rw] parent
26
+ # @return [::String]
27
+ # Required. The resource for which the onboarding status should be checked.
28
+ # Should be in one of the following formats:
29
+ #
30
+ # * `projects/{project-number|project-id}/locations/{region}`
31
+ # * `folders/{folder-number}/locations/{region}`
32
+ # * `organizations/{organization-number}/locations/{region}`
33
+ class CheckOnboardingStatusRequest
34
+ include ::Google::Protobuf::MessageExts
35
+ extend ::Google::Protobuf::MessageExts::ClassMethods
36
+ end
37
+
38
+ # Response message for `CheckOnboardingStatus` method.
39
+ # @!attribute [rw] service_account
40
+ # @return [::String]
41
+ # The service account that PAM uses to act on this resource.
42
+ # @!attribute [rw] findings
43
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::CheckOnboardingStatusResponse::Finding>]
44
+ # List of issues that are preventing PAM from functioning for this resource
45
+ # and need to be fixed to complete onboarding. Some issues might not be
46
+ # detected or reported.
47
+ class CheckOnboardingStatusResponse
48
+ include ::Google::Protobuf::MessageExts
49
+ extend ::Google::Protobuf::MessageExts::ClassMethods
50
+
51
+ # Finding represents an issue which prevents PAM from functioning properly
52
+ # for this resource.
53
+ # @!attribute [rw] iam_access_denied
54
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::CheckOnboardingStatusResponse::Finding::IAMAccessDenied]
55
+ # PAM's service account is being denied access by Cloud IAM.
56
+ class Finding
57
+ include ::Google::Protobuf::MessageExts
58
+ extend ::Google::Protobuf::MessageExts::ClassMethods
59
+
60
+ # PAM's service account is being denied access by Cloud IAM.
61
+ # This can be fixed by granting a role that contains the missing
62
+ # permissions to the service account or exempting it from deny policies if
63
+ # they are blocking the access.
64
+ # @!attribute [rw] missing_permissions
65
+ # @return [::Array<::String>]
66
+ # List of permissions that are being denied.
67
+ class IAMAccessDenied
68
+ include ::Google::Protobuf::MessageExts
69
+ extend ::Google::Protobuf::MessageExts::ClassMethods
70
+ end
71
+ end
72
+ end
73
+
74
+ # An entitlement defines the eligibility of a set of users to obtain
75
+ # predefined access for some time possibly after going through an approval
76
+ # workflow.
77
+ # @!attribute [rw] name
78
+ # @return [::String]
79
+ # Identifier. Name of the entitlement.
80
+ # Possible formats:
81
+ #
82
+ # * `organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}`
83
+ # * `folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}`
84
+ # * `projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}`
85
+ # @!attribute [r] create_time
86
+ # @return [::Google::Protobuf::Timestamp]
87
+ # Output only. Create time stamp.
88
+ # @!attribute [r] update_time
89
+ # @return [::Google::Protobuf::Timestamp]
90
+ # Output only. Update time stamp.
91
+ # @!attribute [rw] eligible_users
92
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::AccessControlEntry>]
93
+ # Optional. Who can create grants using this entitlement. This list should
94
+ # contain at most one entry.
95
+ # @!attribute [rw] approval_workflow
96
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::ApprovalWorkflow]
97
+ # Optional. The approvals needed before access are granted to a requester. No
98
+ # approvals are needed if this field is null.
99
+ # @!attribute [rw] privileged_access
100
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess]
101
+ # The access granted to a requester on successful approval.
102
+ # @!attribute [rw] max_request_duration
103
+ # @return [::Google::Protobuf::Duration]
104
+ # Required. The maximum amount of time that access is granted for a request.
105
+ # A requester can ask for a duration less than this, but never more.
106
+ # @!attribute [r] state
107
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::State]
108
+ # Output only. Current state of this entitlement.
109
+ # @!attribute [rw] requester_justification_config
110
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::RequesterJustificationConfig]
111
+ # Required. The manner in which the requester should provide a justification
112
+ # for requesting access.
113
+ # @!attribute [rw] additional_notification_targets
114
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::AdditionalNotificationTargets]
115
+ # Optional. Additional email addresses to be notified based on actions taken.
116
+ # @!attribute [rw] etag
117
+ # @return [::String]
118
+ # An `etag` is used for optimistic concurrency control as a way to prevent
119
+ # simultaneous updates to the same entitlement. An `etag` is returned in the
120
+ # response to `GetEntitlement` and the caller should put the `etag` in the
121
+ # request to `UpdateEntitlement` so that their change is applied on
122
+ # the same version. If this field is omitted or if there is a mismatch while
123
+ # updating an entitlement, then the server rejects the request.
124
+ class Entitlement
125
+ include ::Google::Protobuf::MessageExts
126
+ extend ::Google::Protobuf::MessageExts::ClassMethods
127
+
128
+ # Defines how a requester must provide a justification when requesting
129
+ # access.
130
+ # @!attribute [rw] not_mandatory
131
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::RequesterJustificationConfig::NotMandatory]
132
+ # This option means the requester isn't required to provide a
133
+ # justification.
134
+ # @!attribute [rw] unstructured
135
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement::RequesterJustificationConfig::Unstructured]
136
+ # This option means the requester must provide a string as
137
+ # justification. If this is selected, the server allows the requester
138
+ # to provide a justification but doesn't validate it.
139
+ class RequesterJustificationConfig
140
+ include ::Google::Protobuf::MessageExts
141
+ extend ::Google::Protobuf::MessageExts::ClassMethods
142
+
143
+ # The justification is not mandatory but can be provided in any of the
144
+ # supported formats.
145
+ class NotMandatory
146
+ include ::Google::Protobuf::MessageExts
147
+ extend ::Google::Protobuf::MessageExts::ClassMethods
148
+ end
149
+
150
+ # The requester has to provide a justification in the form of a string.
151
+ class Unstructured
152
+ include ::Google::Protobuf::MessageExts
153
+ extend ::Google::Protobuf::MessageExts::ClassMethods
154
+ end
155
+ end
156
+
157
+ # AdditionalNotificationTargets includes email addresses to be notified.
158
+ # @!attribute [rw] admin_email_recipients
159
+ # @return [::Array<::String>]
160
+ # Optional. Additional email addresses to be notified when a principal
161
+ # (requester) is granted access.
162
+ # @!attribute [rw] requester_email_recipients
163
+ # @return [::Array<::String>]
164
+ # Optional. Additional email address to be notified about an eligible
165
+ # entitlement.
166
+ class AdditionalNotificationTargets
167
+ include ::Google::Protobuf::MessageExts
168
+ extend ::Google::Protobuf::MessageExts::ClassMethods
169
+ end
170
+
171
+ # Different states an entitlement can be in.
172
+ module State
173
+ # Unspecified state. This value is never returned by the server.
174
+ STATE_UNSPECIFIED = 0
175
+
176
+ # The entitlement is being created.
177
+ CREATING = 1
178
+
179
+ # The entitlement is available for requesting access.
180
+ AVAILABLE = 2
181
+
182
+ # The entitlement is being deleted.
183
+ DELETING = 3
184
+
185
+ # The entitlement has been deleted.
186
+ DELETED = 4
187
+
188
+ # The entitlement is being updated.
189
+ UPDATING = 5
190
+ end
191
+ end
192
+
193
+ # AccessControlEntry is used to control who can do some operation.
194
+ # @!attribute [rw] principals
195
+ # @return [::Array<::String>]
196
+ # Optional. Users who are allowed for the operation. Each entry should be a
197
+ # valid v1 IAM principal identifier. The format for these is documented at:
198
+ # https://cloud.google.com/iam/docs/principal-identifiers#v1
199
+ class AccessControlEntry
200
+ include ::Google::Protobuf::MessageExts
201
+ extend ::Google::Protobuf::MessageExts::ClassMethods
202
+ end
203
+
204
+ # Different types of approval workflows that can be used to gate privileged
205
+ # access granting.
206
+ # @!attribute [rw] manual_approvals
207
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::ManualApprovals]
208
+ # An approval workflow where users designated as approvers review and act
209
+ # on the grants.
210
+ class ApprovalWorkflow
211
+ include ::Google::Protobuf::MessageExts
212
+ extend ::Google::Protobuf::MessageExts::ClassMethods
213
+ end
214
+
215
+ # A manual approval workflow where users who are designated as approvers
216
+ # need to call the `ApproveGrant`/`DenyGrant` APIs for a grant. The workflow
217
+ # can consist of multiple serial steps where each step defines who can act as
218
+ # approver in that step and how many of those users should approve before the
219
+ # workflow moves to the next step.
220
+ #
221
+ # This can be used to create approval workflows such as:
222
+ #
223
+ # * Require an approval from any user in a group G.
224
+ # * Require an approval from any k number of users from a Group G.
225
+ # * Require an approval from any user in a group G and then from a user U.
226
+ #
227
+ # A single user might be part of the `approvers` ACL for multiple steps in this
228
+ # workflow, but they can only approve once and that approval is only considered
229
+ # to satisfy the approval step at which it was granted.
230
+ # @!attribute [rw] require_approver_justification
231
+ # @return [::Boolean]
232
+ # Optional. Do the approvers need to provide a justification for their
233
+ # actions?
234
+ # @!attribute [rw] steps
235
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::ManualApprovals::Step>]
236
+ # Optional. List of approval steps in this workflow. These steps are followed
237
+ # in the specified order sequentially. Only 1 step is supported.
238
+ class ManualApprovals
239
+ include ::Google::Protobuf::MessageExts
240
+ extend ::Google::Protobuf::MessageExts::ClassMethods
241
+
242
+ # Step represents a logical step in a manual approval workflow.
243
+ # @!attribute [rw] approvers
244
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::AccessControlEntry>]
245
+ # Optional. The potential set of approvers in this step. This list must
246
+ # contain at most one entry.
247
+ # @!attribute [rw] approvals_needed
248
+ # @return [::Integer]
249
+ # Required. How many users from the above list need to approve. If there
250
+ # aren't enough distinct users in the list, then the workflow indefinitely
251
+ # blocks. Should always be greater than 0. 1 is the only supported value.
252
+ # @!attribute [rw] approver_email_recipients
253
+ # @return [::Array<::String>]
254
+ # Optional. Additional email addresses to be notified when a grant is
255
+ # pending approval.
256
+ class Step
257
+ include ::Google::Protobuf::MessageExts
258
+ extend ::Google::Protobuf::MessageExts::ClassMethods
259
+ end
260
+ end
261
+
262
+ # Privileged access that this service can be used to gate.
263
+ # @!attribute [rw] gcp_iam_access
264
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess::GcpIamAccess]
265
+ # Access to a Google Cloud resource through IAM.
266
+ class PrivilegedAccess
267
+ include ::Google::Protobuf::MessageExts
268
+ extend ::Google::Protobuf::MessageExts::ClassMethods
269
+
270
+ # GcpIamAccess represents IAM based access control on a Google Cloud
271
+ # resource. Refer to https://cloud.google.com/iam/docs to understand more
272
+ # about IAM.
273
+ # @!attribute [rw] resource_type
274
+ # @return [::String]
275
+ # Required. The type of this resource.
276
+ # @!attribute [rw] resource
277
+ # @return [::String]
278
+ # Required. Name of the resource.
279
+ # @!attribute [rw] role_bindings
280
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess::GcpIamAccess::RoleBinding>]
281
+ # Required. Role bindings that are created on successful grant.
282
+ class GcpIamAccess
283
+ include ::Google::Protobuf::MessageExts
284
+ extend ::Google::Protobuf::MessageExts::ClassMethods
285
+
286
+ # IAM Role bindings that are created after a successful grant.
287
+ # @!attribute [rw] role
288
+ # @return [::String]
289
+ # Required. IAM role to be granted.
290
+ # https://cloud.google.com/iam/docs/roles-overview.
291
+ # @!attribute [rw] condition_expression
292
+ # @return [::String]
293
+ # Optional. The expression field of the IAM condition to be associated
294
+ # with the role. If specified, a user with an active grant for this
295
+ # entitlement is able to access the resource only if this condition
296
+ # evaluates to true for their request.
297
+ #
298
+ # This field uses the same CEL format as IAM and supports all attributes
299
+ # that IAM supports, except tags.
300
+ # https://cloud.google.com/iam/docs/conditions-overview#attributes.
301
+ class RoleBinding
302
+ include ::Google::Protobuf::MessageExts
303
+ extend ::Google::Protobuf::MessageExts::ClassMethods
304
+ end
305
+ end
306
+ end
307
+
308
+ # Message for requesting list of entitlements.
309
+ # @!attribute [rw] parent
310
+ # @return [::String]
311
+ # Required. The parent which owns the entitlement resources.
312
+ # @!attribute [rw] page_size
313
+ # @return [::Integer]
314
+ # Optional. Requested page size. Server may return fewer items than
315
+ # requested. If unspecified, the server picks an appropriate default.
316
+ # @!attribute [rw] page_token
317
+ # @return [::String]
318
+ # Optional. A token identifying a page of results the server should return.
319
+ # @!attribute [rw] filter
320
+ # @return [::String]
321
+ # Optional. Filtering results.
322
+ # @!attribute [rw] order_by
323
+ # @return [::String]
324
+ # Optional. Hint for how to order the results.
325
+ class ListEntitlementsRequest
326
+ include ::Google::Protobuf::MessageExts
327
+ extend ::Google::Protobuf::MessageExts::ClassMethods
328
+ end
329
+
330
+ # Message for response to listing entitlements.
331
+ # @!attribute [rw] entitlements
332
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Entitlement>]
333
+ # The list of entitlements.
334
+ # @!attribute [rw] next_page_token
335
+ # @return [::String]
336
+ # A token identifying a page of results the server should return.
337
+ # @!attribute [rw] unreachable
338
+ # @return [::Array<::String>]
339
+ # Locations that could not be reached.
340
+ class ListEntitlementsResponse
341
+ include ::Google::Protobuf::MessageExts
342
+ extend ::Google::Protobuf::MessageExts::ClassMethods
343
+ end
344
+
345
+ # Request message for `SearchEntitlements` method.
346
+ # @!attribute [rw] parent
347
+ # @return [::String]
348
+ # Required. The parent which owns the entitlement resources.
349
+ # @!attribute [rw] caller_access_type
350
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::SearchEntitlementsRequest::CallerAccessType]
351
+ # Required. Only entitlements where the calling user has this access are
352
+ # returned.
353
+ # @!attribute [rw] filter
354
+ # @return [::String]
355
+ # Optional. Only entitlements matching this filter are returned in the
356
+ # response.
357
+ # @!attribute [rw] page_size
358
+ # @return [::Integer]
359
+ # Optional. Requested page size. The server may return fewer items than
360
+ # requested. If unspecified, the server picks an appropriate default.
361
+ # @!attribute [rw] page_token
362
+ # @return [::String]
363
+ # Optional. A token identifying a page of results the server should return.
364
+ class SearchEntitlementsRequest
365
+ include ::Google::Protobuf::MessageExts
366
+ extend ::Google::Protobuf::MessageExts::ClassMethods
367
+
368
+ # Different types of access a user can have on the entitlement resource.
369
+ module CallerAccessType
370
+ # Unspecified access type.
371
+ CALLER_ACCESS_TYPE_UNSPECIFIED = 0
372
+
373
+ # The user has access to create grants using this entitlement.
374
+ GRANT_REQUESTER = 1
375
+
376
+ # The user has access to approve/deny grants created under this
377
+ # entitlement.
378
+ GRANT_APPROVER = 2
379
+ end
380
+ end
381
+
382
+ # Response message for `SearchEntitlements` method.
383
+ # @!attribute [rw] entitlements
384
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Entitlement>]
385
+ # The list of entitlements.
386
+ # @!attribute [rw] next_page_token
387
+ # @return [::String]
388
+ # A token identifying a page of results the server should return.
389
+ class SearchEntitlementsResponse
390
+ include ::Google::Protobuf::MessageExts
391
+ extend ::Google::Protobuf::MessageExts::ClassMethods
392
+ end
393
+
394
+ # Message for getting an entitlement.
395
+ # @!attribute [rw] name
396
+ # @return [::String]
397
+ # Required. Name of the resource.
398
+ class GetEntitlementRequest
399
+ include ::Google::Protobuf::MessageExts
400
+ extend ::Google::Protobuf::MessageExts::ClassMethods
401
+ end
402
+
403
+ # Message for creating an entitlement.
404
+ # @!attribute [rw] parent
405
+ # @return [::String]
406
+ # Required. Name of the parent resource for the entitlement.
407
+ # Possible formats:
408
+ #
409
+ # * `organizations/{organization-number}/locations/{region}`
410
+ # * `folders/{folder-number}/locations/{region}`
411
+ # * `projects/{project-id|project-number}/locations/{region}`
412
+ # @!attribute [rw] entitlement_id
413
+ # @return [::String]
414
+ # Required. The ID to use for this entitlement. This becomes the last part of
415
+ # the resource name.
416
+ #
417
+ # This value should be 4-63 characters in length, and valid characters are
418
+ # "[a-z]", "[0-9]", and "-". The first character should be from [a-z].
419
+ #
420
+ # This value should be unique among all other entitlements under the
421
+ # specified `parent`.
422
+ # @!attribute [rw] entitlement
423
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement]
424
+ # Required. The resource being created
425
+ # @!attribute [rw] request_id
426
+ # @return [::String]
427
+ # Optional. An optional request ID to identify requests. Specify a unique
428
+ # request ID so that if you must retry your request, the server knows to
429
+ # ignore the request if it has already been completed. The server guarantees
430
+ # this for at least 60 minutes after the first request.
431
+ #
432
+ # For example, consider a situation where you make an initial request and the
433
+ # request times out. If you make the request again with the same request
434
+ # ID, the server can check if original operation with the same request ID
435
+ # was received, and if so, ignores the second request and returns the
436
+ # previous operation's response. This prevents clients from accidentally
437
+ # creating duplicate commitments.
438
+ #
439
+ # The request ID must be a valid UUID with the exception that zero UUID is
440
+ # not supported (00000000-0000-0000-0000-000000000000).
441
+ class CreateEntitlementRequest
442
+ include ::Google::Protobuf::MessageExts
443
+ extend ::Google::Protobuf::MessageExts::ClassMethods
444
+ end
445
+
446
+ # Message for deleting an entitlement.
447
+ # @!attribute [rw] name
448
+ # @return [::String]
449
+ # Required. Name of the resource.
450
+ # @!attribute [rw] request_id
451
+ # @return [::String]
452
+ # Optional. An optional request ID to identify requests. Specify a unique
453
+ # request ID so that if you must retry your request, the server knows to
454
+ # ignore the request if it has already been completed. The server guarantees
455
+ # this for at least 60 minutes after the first request.
456
+ #
457
+ # For example, consider a situation where you make an initial request and the
458
+ # request times out. If you make the request again with the same request
459
+ # ID, the server can check if original operation with the same request ID
460
+ # was received, and if so, ignores the second request. This prevents
461
+ # clients from accidentally creating duplicate commitments.
462
+ #
463
+ # The request ID must be a valid UUID with the exception that zero UUID is
464
+ # not supported (00000000-0000-0000-0000-000000000000).
465
+ # @!attribute [rw] force
466
+ # @return [::Boolean]
467
+ # Optional. If set to true, any child grant under this entitlement is also
468
+ # deleted. (Otherwise, the request only works if the entitlement has no child
469
+ # grant.)
470
+ class DeleteEntitlementRequest
471
+ include ::Google::Protobuf::MessageExts
472
+ extend ::Google::Protobuf::MessageExts::ClassMethods
473
+ end
474
+
475
+ # Message for updating an entitlement.
476
+ # @!attribute [rw] entitlement
477
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Entitlement]
478
+ # Required. The entitlement resource that is updated.
479
+ # @!attribute [rw] update_mask
480
+ # @return [::Google::Protobuf::FieldMask]
481
+ # Required. The list of fields to update. A field is overwritten if, and only
482
+ # if, it is in the mask. Any immutable fields set in the mask are ignored by
483
+ # the server. Repeated fields and map fields are only allowed in the last
484
+ # position of a `paths` string and overwrite the existing values. Hence an
485
+ # update to a repeated field or a map should contain the entire list of
486
+ # values. The fields specified in the update_mask are relative to the
487
+ # resource and not to the request.
488
+ # (e.g. `MaxRequestDuration`; *not* `entitlement.MaxRequestDuration`)
489
+ # A value of '*' for this field refers to full replacement of the resource.
490
+ class UpdateEntitlementRequest
491
+ include ::Google::Protobuf::MessageExts
492
+ extend ::Google::Protobuf::MessageExts::ClassMethods
493
+ end
494
+
495
+ # This is to ensure that the `Grants` and `ProducerGrants` proto are byte
496
+ # compatible.
497
+ # A grant represents a request from a user for obtaining the access specified
498
+ # in an entitlement they are eligible for.
499
+ # @!attribute [rw] name
500
+ # @return [::String]
501
+ # Identifier. Name of this grant.
502
+ # Possible formats:
503
+ #
504
+ # * `organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}`
505
+ # * `folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}`
506
+ # * `projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}`
507
+ #
508
+ # The last segment of this name (`{grant-id}`) is autogenerated.
509
+ # @!attribute [r] create_time
510
+ # @return [::Google::Protobuf::Timestamp]
511
+ # Output only. Create time stamp.
512
+ # @!attribute [r] update_time
513
+ # @return [::Google::Protobuf::Timestamp]
514
+ # Output only. Update time stamp.
515
+ # @!attribute [r] requester
516
+ # @return [::String]
517
+ # Output only. Username of the user who created this grant.
518
+ # @!attribute [rw] requested_duration
519
+ # @return [::Google::Protobuf::Duration]
520
+ # Required. The amount of time access is needed for. This value should be
521
+ # less than the `max_request_duration` value of the entitlement.
522
+ # @!attribute [rw] justification
523
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Justification]
524
+ # Optional. Justification of why this access is needed.
525
+ # @!attribute [r] state
526
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::State]
527
+ # Output only. Current state of this grant.
528
+ # @!attribute [r] timeline
529
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline]
530
+ # Output only. Timeline of this grant.
531
+ # @!attribute [r] privileged_access
532
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess]
533
+ # Output only. The access that would be granted by this grant.
534
+ # @!attribute [r] audit_trail
535
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::AuditTrail]
536
+ # Output only. Audit trail of access provided by this grant. If unspecified
537
+ # then access was never granted.
538
+ # @!attribute [rw] additional_email_recipients
539
+ # @return [::Array<::String>]
540
+ # Optional. Additional email addresses to notify for all the actions
541
+ # performed on the grant.
542
+ # @!attribute [r] externally_modified
543
+ # @return [::Boolean]
544
+ # Output only. Flag set by the PAM system to indicate that policy bindings
545
+ # made by this grant have been modified from outside PAM.
546
+ #
547
+ # After it is set, this flag remains set forever irrespective of the grant
548
+ # state. A `true` value here indicates that PAM no longer has any certainty
549
+ # on the access a user has because of this grant.
550
+ class Grant
551
+ include ::Google::Protobuf::MessageExts
552
+ extend ::Google::Protobuf::MessageExts::ClassMethods
553
+
554
+ # Timeline of a grant describing what happened to it and when.
555
+ # @!attribute [r] events
556
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
557
+ # Output only. The events that have occurred on this grant. This list
558
+ # contains entries in the same order as they occurred. The first entry is
559
+ # always be of type `Requested` and there is always at least one entry in
560
+ # this array.
561
+ class Timeline
562
+ include ::Google::Protobuf::MessageExts
563
+ extend ::Google::Protobuf::MessageExts::ClassMethods
564
+
565
+ # A single operation on the grant.
566
+ # @!attribute [rw] requested
567
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
568
+ # The grant was requested.
569
+ # @!attribute [rw] approved
570
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
571
+ # The grant was approved.
572
+ # @!attribute [rw] denied
573
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
574
+ # The grant was denied.
575
+ # @!attribute [rw] revoked
576
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
577
+ # The grant was revoked.
578
+ # @!attribute [rw] scheduled
579
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
580
+ # The grant has been scheduled to give access.
581
+ # @!attribute [rw] activated
582
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
583
+ # The grant was successfully activated to give access.
584
+ # @!attribute [rw] activation_failed
585
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
586
+ # There was a non-retriable error while trying to give access.
587
+ # @!attribute [rw] expired
588
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
589
+ # The approval workflow did not complete in the necessary duration,
590
+ # and so the grant is expired.
591
+ # @!attribute [rw] ended
592
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
593
+ # Access given by the grant ended automatically as the approved
594
+ # duration was over.
595
+ # @!attribute [rw] externally_modified
596
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
597
+ # The policy bindings made by grant have been modified outside of PAM.
598
+ # @!attribute [r] event_time
599
+ # @return [::Google::Protobuf::Timestamp]
600
+ # Output only. The time (as recorded at server) when this event occurred.
601
+ class Event
602
+ include ::Google::Protobuf::MessageExts
603
+ extend ::Google::Protobuf::MessageExts::ClassMethods
604
+
605
+ # An event representing that a grant was requested.
606
+ # @!attribute [r] expire_time
607
+ # @return [::Google::Protobuf::Timestamp]
608
+ # Output only. The time at which this grant expires unless the approval
609
+ # workflow completes. If omitted, then the request never expires.
610
+ class Requested
611
+ include ::Google::Protobuf::MessageExts
612
+ extend ::Google::Protobuf::MessageExts::ClassMethods
613
+ end
614
+
615
+ # An event representing that the grant was approved.
616
+ # @!attribute [r] reason
617
+ # @return [::String]
618
+ # Output only. The reason provided by the approver for approving the
619
+ # grant.
620
+ # @!attribute [r] actor
621
+ # @return [::String]
622
+ # Output only. Username of the user who approved the grant.
623
+ class Approved
624
+ include ::Google::Protobuf::MessageExts
625
+ extend ::Google::Protobuf::MessageExts::ClassMethods
626
+ end
627
+
628
+ # An event representing that the grant was denied.
629
+ # @!attribute [r] reason
630
+ # @return [::String]
631
+ # Output only. The reason provided by the approver for denying the
632
+ # grant.
633
+ # @!attribute [r] actor
634
+ # @return [::String]
635
+ # Output only. Username of the user who denied the grant.
636
+ class Denied
637
+ include ::Google::Protobuf::MessageExts
638
+ extend ::Google::Protobuf::MessageExts::ClassMethods
639
+ end
640
+
641
+ # An event representing that the grant was revoked.
642
+ # @!attribute [r] reason
643
+ # @return [::String]
644
+ # Output only. The reason provided by the user for revoking the grant.
645
+ # @!attribute [r] actor
646
+ # @return [::String]
647
+ # Output only. Username of the user who revoked the grant.
648
+ class Revoked
649
+ include ::Google::Protobuf::MessageExts
650
+ extend ::Google::Protobuf::MessageExts::ClassMethods
651
+ end
652
+
653
+ # An event representing that the grant has been scheduled to be
654
+ # activated later.
655
+ # @!attribute [r] scheduled_activation_time
656
+ # @return [::Google::Protobuf::Timestamp]
657
+ # Output only. The time at which the access is granted.
658
+ class Scheduled
659
+ include ::Google::Protobuf::MessageExts
660
+ extend ::Google::Protobuf::MessageExts::ClassMethods
661
+ end
662
+
663
+ # An event representing that the grant was successfully
664
+ # activated.
665
+ class Activated
666
+ include ::Google::Protobuf::MessageExts
667
+ extend ::Google::Protobuf::MessageExts::ClassMethods
668
+ end
669
+
670
+ # An event representing that the grant activation failed.
671
+ # @!attribute [r] error
672
+ # @return [::Google::Rpc::Status]
673
+ # Output only. The error that occurred while activating the grant.
674
+ class ActivationFailed
675
+ include ::Google::Protobuf::MessageExts
676
+ extend ::Google::Protobuf::MessageExts::ClassMethods
677
+ end
678
+
679
+ # An event representing that the grant was expired.
680
+ class Expired
681
+ include ::Google::Protobuf::MessageExts
682
+ extend ::Google::Protobuf::MessageExts::ClassMethods
683
+ end
684
+
685
+ # An event representing that the grant has ended.
686
+ class Ended
687
+ include ::Google::Protobuf::MessageExts
688
+ extend ::Google::Protobuf::MessageExts::ClassMethods
689
+ end
690
+
691
+ # An event representing that the policy bindings made by this grant were
692
+ # modified externally.
693
+ class ExternallyModified
694
+ include ::Google::Protobuf::MessageExts
695
+ extend ::Google::Protobuf::MessageExts::ClassMethods
696
+ end
697
+ end
698
+ end
699
+
700
+ # Audit trail for the access provided by this grant.
701
+ # @!attribute [r] access_grant_time
702
+ # @return [::Google::Protobuf::Timestamp]
703
+ # Output only. The time at which access was given.
704
+ # @!attribute [r] access_remove_time
705
+ # @return [::Google::Protobuf::Timestamp]
706
+ # Output only. The time at which the system removed access. This could be
707
+ # because of an automatic expiry or because of a revocation.
708
+ #
709
+ # If unspecified, then access hasn't been removed yet.
710
+ class AuditTrail
711
+ include ::Google::Protobuf::MessageExts
712
+ extend ::Google::Protobuf::MessageExts::ClassMethods
713
+ end
714
+
715
+ # Different states a grant can be in.
716
+ module State
717
+ # Unspecified state. This value is never returned by the server.
718
+ STATE_UNSPECIFIED = 0
719
+
720
+ # The entitlement had an approval workflow configured and this grant is
721
+ # waiting for the workflow to complete.
722
+ APPROVAL_AWAITED = 1
723
+
724
+ # The approval workflow completed with a denied result. No access is
725
+ # granted for this grant. This is a terminal state.
726
+ DENIED = 3
727
+
728
+ # The approval workflow completed successfully with an approved result or
729
+ # none was configured. Access is provided at an appropriate time.
730
+ SCHEDULED = 4
731
+
732
+ # Access is being given.
733
+ ACTIVATING = 5
734
+
735
+ # Access was successfully given and is currently active.
736
+ ACTIVE = 6
737
+
738
+ # The system could not give access due to a non-retriable error. This is a
739
+ # terminal state.
740
+ ACTIVATION_FAILED = 7
741
+
742
+ # Expired after waiting for the approval workflow to complete. This is a
743
+ # terminal state.
744
+ EXPIRED = 8
745
+
746
+ # Access is being revoked.
747
+ REVOKING = 9
748
+
749
+ # Access was revoked by a user. This is a terminal state.
750
+ REVOKED = 10
751
+
752
+ # System took back access as the requested duration was over. This is a
753
+ # terminal state.
754
+ ENDED = 11
755
+ end
756
+ end
757
+
758
+ # Justification represents a justification for requesting access.
759
+ # @!attribute [rw] unstructured_justification
760
+ # @return [::String]
761
+ # A free form textual justification. The system only ensures that this
762
+ # is not empty. No other kind of validation is performed on the string.
763
+ class Justification
764
+ include ::Google::Protobuf::MessageExts
765
+ extend ::Google::Protobuf::MessageExts::ClassMethods
766
+ end
767
+
768
+ # Message for requesting list of grants.
769
+ # @!attribute [rw] parent
770
+ # @return [::String]
771
+ # Required. The parent resource which owns the grants.
772
+ # @!attribute [rw] page_size
773
+ # @return [::Integer]
774
+ # Optional. Requested page size. The server may return fewer items than
775
+ # requested. If unspecified, the server picks an appropriate default.
776
+ # @!attribute [rw] page_token
777
+ # @return [::String]
778
+ # Optional. A token identifying a page of results the server should return.
779
+ # @!attribute [rw] filter
780
+ # @return [::String]
781
+ # Optional. Filtering results.
782
+ # @!attribute [rw] order_by
783
+ # @return [::String]
784
+ # Optional. Hint for how to order the results
785
+ class ListGrantsRequest
786
+ include ::Google::Protobuf::MessageExts
787
+ extend ::Google::Protobuf::MessageExts::ClassMethods
788
+ end
789
+
790
+ # Message for response to listing grants.
791
+ # @!attribute [rw] grants
792
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant>]
793
+ # The list of grants.
794
+ # @!attribute [rw] next_page_token
795
+ # @return [::String]
796
+ # A token identifying a page of results the server should return.
797
+ # @!attribute [rw] unreachable
798
+ # @return [::Array<::String>]
799
+ # Locations that could not be reached.
800
+ class ListGrantsResponse
801
+ include ::Google::Protobuf::MessageExts
802
+ extend ::Google::Protobuf::MessageExts::ClassMethods
803
+ end
804
+
805
+ # Request message for `SearchGrants` method.
806
+ # @!attribute [rw] parent
807
+ # @return [::String]
808
+ # Required. The parent which owns the grant resources.
809
+ # @!attribute [rw] caller_relationship
810
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::SearchGrantsRequest::CallerRelationshipType]
811
+ # Required. Only grants which the caller is related to by this relationship
812
+ # are returned in the response.
813
+ # @!attribute [rw] filter
814
+ # @return [::String]
815
+ # Optional. Only grants matching this filter are returned in the response.
816
+ # @!attribute [rw] page_size
817
+ # @return [::Integer]
818
+ # Optional. Requested page size. The server may return fewer items than
819
+ # requested. If unspecified, server picks an appropriate default.
820
+ # @!attribute [rw] page_token
821
+ # @return [::String]
822
+ # Optional. A token identifying a page of results the server should return.
823
+ class SearchGrantsRequest
824
+ include ::Google::Protobuf::MessageExts
825
+ extend ::Google::Protobuf::MessageExts::ClassMethods
826
+
827
+ # Different types of relationships a user can have with a grant.
828
+ module CallerRelationshipType
829
+ # Unspecified caller relationship type.
830
+ CALLER_RELATIONSHIP_TYPE_UNSPECIFIED = 0
831
+
832
+ # The user created this grant by calling `CreateGrant` earlier.
833
+ HAD_CREATED = 1
834
+
835
+ # The user is an approver for the entitlement that this grant is parented
836
+ # under and can currently approve/deny it.
837
+ CAN_APPROVE = 2
838
+
839
+ # The caller had successfully approved/denied this grant earlier.
840
+ HAD_APPROVED = 3
841
+ end
842
+ end
843
+
844
+ # Response message for `SearchGrants` method.
845
+ # @!attribute [rw] grants
846
+ # @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant>]
847
+ # The list of grants.
848
+ # @!attribute [rw] next_page_token
849
+ # @return [::String]
850
+ # A token identifying a page of results the server should return.
851
+ class SearchGrantsResponse
852
+ include ::Google::Protobuf::MessageExts
853
+ extend ::Google::Protobuf::MessageExts::ClassMethods
854
+ end
855
+
856
+ # Message for getting a grant.
857
+ # @!attribute [rw] name
858
+ # @return [::String]
859
+ # Required. Name of the resource.
860
+ class GetGrantRequest
861
+ include ::Google::Protobuf::MessageExts
862
+ extend ::Google::Protobuf::MessageExts::ClassMethods
863
+ end
864
+
865
+ # Request message for `ApproveGrant` method.
866
+ # @!attribute [rw] name
867
+ # @return [::String]
868
+ # Required. Name of the grant resource which is being approved.
869
+ # @!attribute [rw] reason
870
+ # @return [::String]
871
+ # Optional. The reason for approving this grant. This is required if the
872
+ # `require_approver_justification` field of the `ManualApprovals` workflow
873
+ # used in this grant is true.
874
+ class ApproveGrantRequest
875
+ include ::Google::Protobuf::MessageExts
876
+ extend ::Google::Protobuf::MessageExts::ClassMethods
877
+ end
878
+
879
+ # Request message for `DenyGrant` method.
880
+ # @!attribute [rw] name
881
+ # @return [::String]
882
+ # Required. Name of the grant resource which is being denied.
883
+ # @!attribute [rw] reason
884
+ # @return [::String]
885
+ # Optional. The reason for denying this grant. This is required if
886
+ # `require_approver_justification` field of the `ManualApprovals` workflow
887
+ # used in this grant is true.
888
+ class DenyGrantRequest
889
+ include ::Google::Protobuf::MessageExts
890
+ extend ::Google::Protobuf::MessageExts::ClassMethods
891
+ end
892
+
893
+ # Request message for `RevokeGrant` method.
894
+ # @!attribute [rw] name
895
+ # @return [::String]
896
+ # Required. Name of the grant resource which is being revoked.
897
+ # @!attribute [rw] reason
898
+ # @return [::String]
899
+ # Optional. The reason for revoking this grant.
900
+ class RevokeGrantRequest
901
+ include ::Google::Protobuf::MessageExts
902
+ extend ::Google::Protobuf::MessageExts::ClassMethods
903
+ end
904
+
905
+ # Message for creating a grant
906
+ # @!attribute [rw] parent
907
+ # @return [::String]
908
+ # Required. Name of the parent entitlement for which this grant is being
909
+ # requested.
910
+ # @!attribute [rw] grant
911
+ # @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant]
912
+ # Required. The resource being created.
913
+ # @!attribute [rw] request_id
914
+ # @return [::String]
915
+ # Optional. An optional request ID to identify requests. Specify a unique
916
+ # request ID so that if you must retry your request, the server knows to
917
+ # ignore the request if it has already been completed. The server guarantees
918
+ # this for at least 60 minutes after the first request.
919
+ #
920
+ # For example, consider a situation where you make an initial request and the
921
+ # request times out. If you make the request again with the same request
922
+ # ID, the server can check if original operation with the same request ID
923
+ # was received, and if so, ignores the second request. This prevents
924
+ # clients from accidentally creating duplicate commitments.
925
+ #
926
+ # The request ID must be a valid UUID with the exception that zero UUID is
927
+ # not supported (00000000-0000-0000-0000-000000000000).
928
+ class CreateGrantRequest
929
+ include ::Google::Protobuf::MessageExts
930
+ extend ::Google::Protobuf::MessageExts::ClassMethods
931
+ end
932
+
933
+ # Represents the metadata of the long-running operation.
934
+ # @!attribute [r] create_time
935
+ # @return [::Google::Protobuf::Timestamp]
936
+ # Output only. The time the operation was created.
937
+ # @!attribute [r] end_time
938
+ # @return [::Google::Protobuf::Timestamp]
939
+ # Output only. The time the operation finished running.
940
+ # @!attribute [r] target
941
+ # @return [::String]
942
+ # Output only. Server-defined resource path for the target of the operation.
943
+ # @!attribute [r] verb
944
+ # @return [::String]
945
+ # Output only. Name of the verb executed by the operation.
946
+ # @!attribute [r] status_message
947
+ # @return [::String]
948
+ # Output only. Human-readable status of the operation, if any.
949
+ # @!attribute [r] requested_cancellation
950
+ # @return [::Boolean]
951
+ # Output only. Identifies whether the user has requested cancellation
952
+ # of the operation. Operations that have been cancelled successfully
953
+ # have [Operation.error][] value with a
954
+ # {::Google::Rpc::Status#code google.rpc.Status.code} of 1, corresponding to
955
+ # `Code.CANCELLED`.
956
+ # @!attribute [r] api_version
957
+ # @return [::String]
958
+ # Output only. API version used to start the operation.
959
+ class OperationMetadata
960
+ include ::Google::Protobuf::MessageExts
961
+ extend ::Google::Protobuf::MessageExts::ClassMethods
962
+ end
963
+ end
964
+ end
965
+ end
966
+ end