@google-cloud/dlp 4.1.1 → 4.3.0

package/build/protos/google/privacy/dlp/v2/dlp.proto

@@ -133,7 +133,7 @@ service DlpService {
     };
   }
 
-  // Returns a list of the sensitive information types that the DLP API
+  // Returns a list of the sensitive information types that DLP API
   // supports. See https://cloud.google.com/dlp/docs/infotypes-reference to
   // learn more.
   rpc ListInfoTypes(ListInfoTypesRequest) returns (ListInfoTypesResponse) {
@@ -146,7 +146,7 @@ service DlpService {
     option (google.api.method_signature) = "parent";
   }
 
-  // Creates an InspectTemplate for re-using frequently used configuration
+  // Creates an InspectTemplate for reusing frequently used configuration
   // for inspecting content, images, and storage.
   // See https://cloud.google.com/dlp/docs/creating-templates to learn more.
   rpc CreateInspectTemplate(CreateInspectTemplateRequest) returns (InspectTemplate) {
@@ -245,7 +245,7 @@ service DlpService {
     option (google.api.method_signature) = "name";
   }
 
-  // Creates a DeidentifyTemplate for re-using frequently used configuration
+  // Creates a DeidentifyTemplate for reusing frequently used configuration
   // for de-identifying content, images, and storage.
   // See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
   // more.
@@ -505,7 +505,7 @@ service DlpService {
   }
 
   // Deletes a long-running DlpJob. This method indicates that the client is
-  // no longer interested in the DlpJob result. The job will be cancelled if
+  // no longer interested in the DlpJob result. The job will be canceled if
   // possible.
   // See https://cloud.google.com/dlp/docs/inspecting-storage and
   // https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.
@@ -660,7 +660,7 @@ service DlpService {
   }
 }
 
-// List of exclude infoTypes.
+// List of excluded infoTypes.
 message ExcludeInfoTypes {
   // InfoType list in ExclusionRule rule drops a finding when it overlaps or
   // contained within with a finding of an infoType from this list. For
@@ -673,6 +673,20 @@ message ExcludeInfoTypes {
   repeated InfoType info_types = 1;
 }
 
+// The rule to exclude findings based on a hotword. For record inspection of
+// tables, column names are considered hotwords. An example of this is to
+// exclude a finding if a BigQuery column matches a specific pattern.
+message ExcludeByHotword {
+  // Regular expression pattern defining what qualifies as a hotword.
+  CustomInfoType.Regex hotword_regex = 1;
+
+  // Range of characters within which the entire hotword must reside.
+  // The total length of the window cannot exceed 1000 characters.
+  // The windowBefore property in proximity should be set to 1 if the hotword
+  // needs to be included in a column header.
+  CustomInfoType.DetectionRule.Proximity proximity = 2;
+}
+
 // The rule that specifies conditions when findings of infoTypes specified in
 // `InspectionRuleSet` are removed from results.
 message ExclusionRule {
@@ -686,6 +700,10 @@ message ExclusionRule {
 
     // Set of infoTypes for which findings would affect this rule.
     ExcludeInfoTypes exclude_info_types = 3;
+
+    // Drop if the hotword rule is contained in the proximate context. For
+    // tabular data, the context includes the column name.
+    ExcludeByHotword exclude_by_hotword = 5;
   }
 
   // How the rule is applied, see MatchingType documentation for details.
@@ -721,6 +739,12 @@ message InspectionRuleSet {
 message InspectConfig {
   // Configuration to control the number of findings returned for inspection.
   // This is not used for de-identification or data profiling.
+  //
+  // When redacting sensitive data from images, finding limits don't apply. They
+  // can cause unexpected or inconsistent results, where only some data is
+  // redacted. Don't include finding limits in
+  // [RedactImage][google.privacy.dlp.v2.DlpService.RedactImage]
+  // requests. Otherwise, Cloud DLP returns an error.
   message FindingLimits {
     // Max findings configuration per infoType, per content item or long
     // running DlpJob.
@@ -770,6 +794,12 @@ message InspectConfig {
 
   // Configuration to control the number of findings returned.
   // This is not used for data profiling.
+  //
+  // When redacting sensitive data from images, finding limits don't apply. They
+  // can cause unexpected or inconsistent results, where only some data is
+  // redacted. Don't include finding limits in
+  // [RedactImage][google.privacy.dlp.v2.DlpService.RedactImage]
+  // requests. Otherwise, Cloud DLP returns an error.
   FindingLimits limits = 3;
 
   // When true, a contextual quote from the data that triggered a finding is
@@ -850,7 +880,6 @@ message ByteContentItem {
   bytes data = 2;
 }
 
-// Container structure for the content to inspect.
 message ContentItem {
   // Data of the item either in the byte array or UTF-8 string form, or table.
   oneof data_item {
@@ -1006,7 +1035,7 @@ message ContentLocation {
   // * Datastore namespace: {namespace}
   //
   // Nested names could be absent if the embedded object has no string
-  // identifier (for an example an image contained within a document).
+  // identifier (for example, an image contained within a document).
   string container_name = 1;
 
   // Type of the container within the file with location of the finding.
@@ -1024,14 +1053,14 @@ message ContentLocation {
     MetadataLocation metadata_location = 8;
   }
 
-  // Findings container modification timestamp, if applicable.
-  // For Google Cloud Storage contains last file modification timestamp.
-  // For BigQuery table contains last_modified_time property.
-  // For Datastore - not populated.
+  // Finding container modification timestamp, if applicable. For Cloud Storage,
+  // this field contains the last file modification timestamp. For a BigQuery
+  // table, this field contains the last_modified_time property. For Datastore,
+  // this field isn't populated.
   google.protobuf.Timestamp container_timestamp = 6;
 
-  // Findings container version, if available
-  // ("generation" for Google Cloud Storage).
+  // Finding container version, if available
+  // ("generation" for Cloud Storage).
   string container_version = 7;
 }
 
@@ -1086,7 +1115,7 @@ message TableLocation {
 // Represents a container that may contain DLP findings.
 // Examples of a container include a file, table, or database record.
 message Container {
-  // Container type, for example BigQuery or Google Cloud Storage.
+  // Container type, for example BigQuery or Cloud Storage.
   string type = 1;
 
   // Project where the finding was found.
@@ -1096,33 +1125,35 @@ message Container {
   // A string representation of the full container name.
   // Examples:
   // - BigQuery: 'Project:DataSetId.TableId'
-  // - Google Cloud Storage: 'gs://Bucket/folders/filename.txt'
+  // - Cloud Storage: 'gs://Bucket/folders/filename.txt'
   string full_path = 3;
 
   // The root of the container.
   // Examples:
+  //
   // - For BigQuery table `project_id:dataset_id.table_id`, the root is
   //  `dataset_id`
-  // - For Google Cloud Storage file `gs://bucket/folder/filename.txt`, the root
+  // - For Cloud Storage file `gs://bucket/folder/filename.txt`, the root
   //  is `gs://bucket`
   string root_path = 4;
 
   // The rest of the path after the root.
   // Examples:
+  //
   // - For BigQuery table `project_id:dataset_id.table_id`, the relative path is
   //  `table_id`
-  // - Google Cloud Storage file `gs://bucket/folder/filename.txt`, the relative
+  // - For Cloud Storage file `gs://bucket/folder/filename.txt`, the relative
   //  path is `folder/filename.txt`
   string relative_path = 5;
 
-  // Findings container modification timestamp, if applicable.
-  // For Google Cloud Storage contains last file modification timestamp.
-  // For BigQuery table contains last_modified_time property.
-  // For Datastore - not populated.
+  // Findings container modification timestamp, if applicable. For Cloud
+  // Storage, this field contains the last file modification timestamp. For a
+  // BigQuery table, this field contains the last_modified_time property. For
+  // Datastore, this field isn't populated.
   google.protobuf.Timestamp update_time = 6;
 
   // Findings container version, if available
-  // ("generation" for Google Cloud Storage).
+  // ("generation" for Cloud Storage).
   string version = 7;
 }
 
@@ -1242,7 +1273,7 @@ message RedactImageResponse {
   InspectResult inspect_result = 3;
 }
 
-// Request to de-identify a list of items.
+// Request to de-identify a ContentItem.
 message DeidentifyContentRequest {
   // Parent resource name.
   //
@@ -1275,6 +1306,13 @@ message DeidentifyContentRequest {
   InspectConfig inspect_config = 3;
 
   // The item to de-identify. Will be treated as text.
+  //
+  // This value must be of type
+  // [Table][google.privacy.dlp.v2.Table] if your
+  // [deidentify_config][google.privacy.dlp.v2.DeidentifyContentRequest.deidentify_config]
+  // is a
+  // [RecordTransformations][google.privacy.dlp.v2.RecordTransformations]
+  // object.
   ContentItem item = 4;
 
   // Template to use. Any configuration directly specified in
@@ -1367,7 +1405,7 @@ message ReidentifyContentRequest {
   string location_id = 7;
 }
 
-// Results of re-identifying a item.
+// Results of re-identifying an item.
 message ReidentifyContentResponse {
   // The re-identified item.
   ContentItem item = 1;
@@ -1434,7 +1472,7 @@ message OutputStorageConfig {
     // `timestamp`.
     BASIC_COLUMNS = 1;
 
-    // Schema tailored to findings from scanning Google Cloud Storage.
+    // Schema tailored to findings from scanning Cloud Storage.
     GCS_COLUMNS = 2;
 
     // Schema tailored to findings from scanning Google Datastore.
@@ -1452,8 +1490,8 @@ message OutputStorageConfig {
     // Store findings in an existing table or a new table in an existing
     // dataset. If table_id is not set a new one will be generated
     // for you with the following format:
-    // dlp_googleapis_yyyy_mm_dd_[dlp_job_id]. Pacific timezone will be used for
-    // generating the date details.
+    // dlp_googleapis_yyyy_mm_dd_[dlp_job_id]. Pacific time zone will be used
+    // for generating the date details.
     //
     // For Inspect, each column in an existing output table must have the same
     // name, type, and mode of a field in the `Finding` object.
@@ -1555,6 +1593,9 @@ message InfoTypeDescription {
   // request.
   string description = 4;
 
+  // A list of available versions for the infotype.
+  repeated VersionDescription versions = 9;
+
   // The category of the infoType.
   repeated InfoTypeCategory categories = 10;
 }
@@ -1688,6 +1729,9 @@ message InfoTypeCategory {
 
     // The infoType is typically used in Google internally.
     INTERNAL = 40;
+
+    // The infoType is typically used in New Zealand.
+    NEW_ZEALAND = 41;
   }
 
   // Enum of the current industries in the category.
@@ -1751,6 +1795,15 @@ message InfoTypeCategory {
   }
 }
 
+// Details about each available version for an infotype.
+message VersionDescription {
+  // Name of the version
+  string version = 1;
+
+  // Description of the version.
+  string description = 2;
+}
+
 // Request for the list of infoTypes.
 message ListInfoTypesRequest {
   // The parent resource name.
@@ -2202,10 +2255,10 @@ message AnalyzeDataSourceRiskDetails {
       repeated Value quasi_ids_values = 1;
 
       // The estimated probability that a given individual sharing these
-      // quasi-identifier values is in the dataset. This value, typically called
-      // δ, is the ratio between the number of records in the dataset with these
-      // quasi-identifier values, and the total number of individuals (inside
-      // *and* outside the dataset) with these quasi-identifier values.
+      // quasi-identifier values is in the dataset. This value, typically
+      // called δ, is the ratio between the number of records in the dataset
+      // with these quasi-identifier values, and the total number of individuals
+      // (inside *and* outside the dataset) with these quasi-identifier values.
       // For example, if there are 15 individuals in the dataset who share the
       // same quasi-identifier values, and an estimated 100 people in the entire
       // population with these values, then δ is 0.15.
@@ -2375,6 +2428,9 @@ message DeidentifyConfig {
     // specific locations within structured datasets, such as transforming
     // a column within a table.
     RecordTransformations record_transformations = 2;
+
+    // Treat the dataset as an image and redact.
+    ImageTransformations image_transformations = 4;
   }
 
   // Mode for handling transformation errors. If left unspecified, the default
@@ -2382,6 +2438,49 @@ message DeidentifyConfig {
   TransformationErrorHandling transformation_error_handling = 3;
 }
 
+// A type of transformation that is applied over images.
+message ImageTransformations {
+  // Configuration for determining how redaction of images should occur.
+  message ImageTransformation {
+    // Apply transformation to the selected info_types.
+    message SelectedInfoTypes {
+      // Required. InfoTypes to apply the transformation to. Required. Provided InfoType
+      // must be unique within the ImageTransformations message.
+      repeated InfoType info_types = 5 [(google.api.field_behavior) = REQUIRED];
+    }
+
+    // Apply transformation to all findings.
+    message AllInfoTypes {
+
+    }
+
+    // Apply to all text.
+    message AllText {
+
+    }
+
+    oneof target {
+      // Apply transformation to the selected info_types.
+      SelectedInfoTypes selected_info_types = 4;
+
+      // Apply transformation to all findings not specified in other
+      // ImageTransformation's selected_info_types. Only one instance is allowed
+      // within the ImageTransformations message.
+      AllInfoTypes all_info_types = 5;
+
+      // Apply transformation to all text that doesn't match an infoType. Only
+      // one instance is allowed within the ImageTransformations message.
+      AllText all_text = 6;
+    }
+
+    // The color to use when redacting content from an image. If not
+    // specified, the default is black.
+    Color redaction_color = 3;
+  }
+
+  repeated ImageTransformation transforms = 2;
+}
+
 // How to handle transformation errors during de-identification. A
 // transformation error occurs when the requested transformation is incompatible
 // with the data. For example, trying to de-identify an IP address using a
@@ -2558,7 +2657,7 @@ message CryptoDeterministicConfig {
   // plaintext would be used as is for encryption.
   //
   // Note that case (1) is expected when an `InfoTypeTransformation` is
-  // applied to both structured and non-structured `ContentItem`s.
+  // applied to both structured and unstructured `ContentItem`s.
   FieldId context = 3;
 }
 
@@ -2593,7 +2692,7 @@ message RedactConfig {
 // Characters to skip when doing deidentification of a value. These will be left
 // alone and skipped.
 message CharsToIgnore {
-  // Convenience enum for indication common characters to not transform.
+  // Convenience enum for indicating common characters to not transform.
   enum CommonCharsToIgnore {
     // Unused.
     COMMON_CHARS_TO_IGNORE_UNSPECIFIED = 0;
@@ -2639,6 +2738,21 @@ message CharacterMaskConfig {
 
   // Number of characters to mask. If not set, all matching chars will be
   // masked. Skipped characters do not count towards this tally.
+  //
+  // If `number_to_mask` is negative, this denotes inverse masking. Cloud DLP
+  // masks all but a number of characters.
+  // For example, suppose you have the following values:
+  //
+  // - `masking_character` is `*`
+  // - `number_to_mask` is `-4`
+  // - `reverse_order` is `false`
+  // - `CharsToIgnore` includes `-`
+  // - Input string is `1234-5678-9012-3456`
+  //
+  // The resulting de-identified string is
+  // `****-****-****-3456`. Cloud DLP masks all but the last four characters.
+  // If `reverse_order` is `true`, all but the first four characters are masked
+  // as `1234-****-****-****`.
   int32 number_to_mask = 2;
 
   // Mask characters in reverse order. For example, if `masking_character` is
@@ -2732,7 +2846,7 @@ message BucketingConfig {
 message CryptoReplaceFfxFpeConfig {
   // These are commonly used subsets of the alphabet that the FFX mode
   // natively supports. In the algorithm, the alphabet is selected using
-  // the "radix". Therefore each corresponds to particular radix.
+  // the "radix". Therefore each corresponds to a particular radix.
   enum FfxCommonNativeAlphabet {
     // Unused.
     FFX_COMMON_NATIVE_ALPHABET_UNSPECIFIED = 0;
@@ -2765,7 +2879,7 @@ message CryptoReplaceFfxFpeConfig {
   // a default tweak will be used.
   //
   // Note that case (1) is expected when an `InfoTypeTransformation` is
-  // applied to both structured and non-structured `ContentItem`s.
+  // applied to both structured and unstructured `ContentItem`s.
   // Currently, the referenced field may be of value type integer or string.
   //
   // The tweak is constructed as a sequence of bytes in big endian byte order
@@ -3021,7 +3135,7 @@ message RecordCondition {
     repeated Condition conditions = 1;
   }
 
-  // An expression, consisting or an operator and conditions.
+  // An expression, consisting of an operator and conditions.
   message Expressions {
     // Logical operators for conditional checks.
     enum LogicalOperator {
@@ -3110,10 +3224,209 @@ message TransformationSummary {
   int64 transformed_bytes = 7;
 }
 
+// A flattened description of a `PrimitiveTransformation` or
+// `RecordSuppression`.
+message TransformationDescription {
+  // The transformation type.
+  TransformationType type = 1;
+
+  // A description of the transformation. This is empty for a
+  // RECORD_SUPPRESSION, or is the output of calling toString() on the
+  // `PrimitiveTransformation` protocol buffer message for any other type of
+  // transformation.
+  string description = 2;
+
+  // A human-readable string representation of the `RecordCondition`
+  // corresponding to this transformation. Set if a `RecordCondition` was used
+  // to determine whether or not to apply this transformation.
+  //
+  // Examples:
+  //     * (age_field > 85)
+  //     * (age_field <= 18)
+  //     * (zip_field exists)
+  //     * (zip_field == 01234) && (city_field != "Springville")
+  //     * (zip_field == 01234) && (age_field <= 18) && (city_field exists)
+  string condition = 3;
+
+  // Set if the transformation was limited to a specific `InfoType`.
+  InfoType info_type = 4;
+}
+
+// Details about a single transformation. This object contains a description of
+// the transformation, information about whether the transformation was
+// successfully applied, and the precise location where the transformation
+// occurred. These details are stored in a user-specified BigQuery table.
+message TransformationDetails {
+  // The name of the job that completed the transformation.
+  string resource_name = 1;
+
+  // The top level name of the container where the transformation is located
+  // (this will be the source file name or table name).
+  string container_name = 2;
+
+  // Description of transformation. This would only contain more than one
+  // element if there were multiple matching transformations and which one to
+  // apply was ambiguous. Not set for states that contain no transformation,
+  // currently only state that contains no transformation is
+  // TransformationResultStateType.METADATA_UNRETRIEVABLE.
+  repeated TransformationDescription transformation = 3;
+
+  // Status of the transformation, if transformation was not successful, this
+  // will specify what caused it to fail, otherwise it will show that the
+  // transformation was successful.
+  TransformationResultStatus status_details = 4;
+
+  // The number of bytes that were transformed. If transformation was
+  // unsuccessful or did not take place because there was no content to
+  // transform, this will be zero.
+  int64 transformed_bytes = 5;
+
+  // The precise location of the transformed content in the original container.
+  TransformationLocation transformation_location = 6;
+}
+
+// Specifies the location of a transformation.
+message TransformationLocation {
+  oneof location_type {
+    // For infotype transformations, link to the corresponding findings ID so
+    // that location information does not need to be duplicated. Each findings
+    // ID correlates to an entry in the findings output table, this table only
+    // gets created when users specify to save findings (add the save findings
+    // action to the request).
+    string finding_id = 1;
+
+    // For record transformations, provide a field and container information.
+    RecordTransformation record_transformation = 2;
+  }
+
+  // Information about the functionality of the container where this finding
+  // occurred, if available.
+  TransformationContainerType container_type = 3;
+}
+
+message RecordTransformation {
+  // For record transformations, provide a field.
+  FieldId field_id = 1;
+
+  // Findings container modification timestamp, if applicable.
+  google.protobuf.Timestamp container_timestamp = 2;
+
+  // Container version, if available ("generation" for Cloud Storage).
+  string container_version = 3;
+}
+
+message TransformationResultStatus {
+  // Transformation result status type, this will be either SUCCESS, or it will
+  // be the reason for why the transformation was not completely successful.
+  TransformationResultStatusType result_status_type = 1;
+
+  // Detailed error codes and messages
+  google.rpc.Status details = 2;
+}
+
+// Enum of possible outcomes of transformations. SUCCESS if transformation and
+// storing of transformation was successful, otherwise, reason for not
+// transforming.
+enum TransformationResultStatusType {
+  STATE_TYPE_UNSPECIFIED = 0;
+
+  // This will be set when a finding could not be transformed (i.e. outside user
+  // set bucket range).
+  INVALID_TRANSFORM = 1;
+
+  // This will be set when a BigQuery transformation was successful but could
+  // not be stored back in BigQuery because the transformed row exceeds
+  // BigQuery's max row size.
+  BIGQUERY_MAX_ROW_SIZE_EXCEEDED = 2;
+
+  // This will be set when there is a finding in the custom metadata of a file,
+  // but at the write time of the transformed file, this key / value pair is
+  // unretrievable.
+  METADATA_UNRETRIEVABLE = 3;
+
+  // This will be set when the transformation and storing of it is successful.
+  SUCCESS = 4;
+}
+
+// Describes functionality of a given container in its original format.
+enum TransformationContainerType {
+  TRANSFORM_UNKNOWN_CONTAINER = 0;
+
+  TRANSFORM_BODY = 1;
+
+  TRANSFORM_METADATA = 2;
+
+  TRANSFORM_TABLE = 3;
+}
+
+// An enum of rules that can be used to transform a value. Can be a
+// record suppression, or one of the transformation rules specified under
+// `PrimitiveTransformation`.
+enum TransformationType {
+  // Unused
+  TRANSFORMATION_TYPE_UNSPECIFIED = 0;
+
+  // Record suppression
+  RECORD_SUPPRESSION = 1;
+
+  // Replace value
+  REPLACE_VALUE = 2;
+
+  // Replace value using a dictionary.
+  REPLACE_DICTIONARY = 15;
+
+  // Redact
+  REDACT = 3;
+
+  // Character mask
+  CHARACTER_MASK = 4;
+
+  // FFX-FPE
+  CRYPTO_REPLACE_FFX_FPE = 5;
+
+  // Fixed size bucketing
+  FIXED_SIZE_BUCKETING = 6;
+
+  // Bucketing
+  BUCKETING = 7;
+
+  // Replace with info type
+  REPLACE_WITH_INFO_TYPE = 8;
+
+  // Time part
+  TIME_PART = 9;
+
+  // Crypto hash
+  CRYPTO_HASH = 10;
+
+  // Date shift
+  DATE_SHIFT = 12;
+
+  // Deterministic crypto
+  CRYPTO_DETERMINISTIC_CONFIG = 13;
+
+  // Redact image
+  REDACT_IMAGE = 14;
+}
+
+// Config for storing transformation details.
+message TransformationDetailsStorageConfig {
+  // Location to store the transformation summary.
+  oneof type {
+    // The BigQuery table in which to store the output. This may be an existing
+    // table or in a new table in an existing dataset.
+    // If table_id is not set a new one will be generated for you with the
+    // following format:
+    // dlp_googleapis_transformation_details_yyyy_mm_dd_[dlp_job_id]. Pacific
+    // time zone will be used for generating the date details.
+    BigQueryTable table = 1;
+  }
+}
+
 // Schedule for inspect job triggers.
 message Schedule {
   oneof option {
-    // With this option a job is started a regular periodic basis. For
+    // With this option a job is started on a regular periodic basis. For
     // example: every day (86400 seconds).
     //
     // A scheduled start time will be skipped if the previous
@@ -3302,7 +3615,7 @@ message Action {
     OutputStorageConfig output_config = 1;
   }
 
-  // Publish a message into given Pub/Sub topic when DlpJob has completed. The
+  // Publish a message into a given Pub/Sub topic when DlpJob has completed. The
   // message contains a single field, `DlpJobName`, which is equal to the
   // finished job's
   // [`DlpJob.name`](https://cloud.google.com/dlp/docs/reference/rest/v2/projects.dlpJobs#DlpJob).
@@ -3320,31 +3633,88 @@ message Action {
   // This action is only available for projects which are parts of
   // an organization and whitelisted for the alpha Cloud Security Command
   // Center.
-  // The action will publish count of finding instances and their info types.
-  // The summary of findings will be persisted in CSCC and are governed by CSCC
-  // service-specific policy, see https://cloud.google.com/terms/service-terms
-  // Only a single instance of this action can be specified.
-  // Compatible with: Inspect
+  // The action will publish the count of finding instances and their info
+  // types. The summary of findings will be persisted in CSCC and are governed
+  // by CSCC service-specific policy, see
+  // https://cloud.google.com/terms/service-terms Only a single instance of this
+  // action can be specified. Compatible with: Inspect
   message PublishSummaryToCscc {
 
   }
 
-  // Publish findings of a DlpJob to Data Catalog. Labels summarizing the
-  // results of the DlpJob will be applied to the entry for the resource scanned
-  // in Data Catalog. Any labels previously written by another DlpJob will
-  // be deleted. InfoType naming patterns are strictly enforced when using this
-  // feature. Note that the findings will be persisted in Data Catalog
-  // storage and are governed by Data Catalog service-specific policy, see
-  // https://cloud.google.com/terms/service-terms
-  // Only a single instance of this action can be specified and only allowed if
-  // all resources being scanned are BigQuery tables.
+  // Publish findings of a DlpJob to Data Catalog. In Data Catalog, tag
+  // templates are applied to the resource that Cloud DLP scanned. Data
+  // Catalog tag templates are stored in the same project and region where the
+  // BigQuery table exists. For Cloud DLP to create and apply the tag template,
+  // the Cloud DLP service agent must have the
+  // `roles/datacatalog.tagTemplateOwner` permission on the project. The tag
+  // template contains fields summarizing the results of the DlpJob. Any field
+  // values previously written by another DlpJob are deleted. [InfoType naming
+  // patterns][google.privacy.dlp.v2.InfoType] are strictly enforced when using
+  // this feature.
+  //
+  // Findings are persisted in Data Catalog storage and are governed by
+  // service-specific policies for Data Catalog. For more information, see
+  // [Service Specific Terms](https://cloud.google.com/terms/service-terms).
+  //
+  // Only a single instance of this action can be specified. This action is
+  // allowed only if all resources being scanned are BigQuery tables.
   // Compatible with: Inspect
   message PublishFindingsToCloudDataCatalog {
 
   }
 
-  // Enable email notification to project owners and editors on jobs's
-  // completion/failure.
+  // Create a de-identified copy of the requested table or files.
+  //
+  // A TransformationDetail will be created for each transformation.
+  //
+  // If any rows in BigQuery are skipped during de-identification
+  // (transformation errors or row size exceeds BigQuery insert API limits) they
+  // are placed in the failure output table. If the original row exceeds
+  // the BigQuery insert API limit it will be truncated when written to the
+  // failure output table. The failure output table can be set in the
+  // action.deidentify.output.big_query_output.deidentified_failure_output_table
+  // field, if no table is set, a table will be automatically created in the
+  // same project and dataset as the original table.
+  //
+  // Compatible with: Inspect
+  message Deidentify {
+    // User specified deidentify templates and configs for structured,
+    // unstructured, and image files.
+    TransformationConfig transformation_config = 7;
+
+    // Config for storing transformation details. This is separate from the
+    // de-identified content, and contains metadata about the successful
+    // transformations and/or failures that occurred while de-identifying. This
+    // needs to be set in order for users to access information about the status
+    // of each transformation (see
+    // [TransformationDetails][google.privacy.dlp.v2.TransformationDetails]
+    // message for more information about what is noted).
+    TransformationDetailsStorageConfig transformation_details_storage_config = 3;
+
+    oneof output {
+      // Required. User settable Cloud Storage bucket and folders to store de-identified
+      // files. This field must be set for cloud storage deidentification. The
+      // output Cloud Storage bucket must be different from the input bucket.
+      // De-identified files will overwrite files in the output path.
+      //
+      // Form of: gs://bucket/folder/ or gs://bucket
+      string cloud_storage_output = 9 [(google.api.field_behavior) = REQUIRED];
+    }
+
+    // List of user-specified file type groups to transform. If specified, only
+    // the files with these filetypes will be transformed. If empty, all
+    // supported files will be transformed. Supported types may be automatically
+    // added over time. If a file type is set in this field that isn't supported
+    // by the Deidentify action then the job will fail and will not be
+    // successfully created/started. Currently the only filetypes supported are:
+    // IMAGES, TEXT_FILES, CSV, TSV.
+    repeated FileType file_types_to_transform = 8;
+  }
+
+  // Sends an email when the job completes. The email goes to IAM project owners
+  // and technical [Essential
+  // Contacts](https://cloud.google.com/resource-manager/docs/managing-notification-contacts).
   message JobNotificationEmails {
 
   }
@@ -3361,7 +3731,7 @@ message Action {
     // Save resulting findings in a provided location.
     SaveFindings save_findings = 1;
 
-    // Publish a notification to a pubsub topic.
+    // Publish a notification to a Pub/Sub topic.
     PublishToPubSub pub_sub = 2;
 
     // Publish summary to Cloud Security Command Center (Alpha).
@@ -3370,8 +3740,12 @@ message Action {
     // Publish findings to Cloud Datahub.
     PublishFindingsToCloudDataCatalog publish_findings_to_cloud_data_catalog = 5;
 
-    // Enable email notification for project owners and editors on job's
-    // completion/failure.
+    // Create a de-identified copy of the input data.
+    Deidentify deidentify = 7;
+
+    // Sends an email when the job completes. The email goes to IAM project
+    // owners and technical [Essential
+    // Contacts](https://cloud.google.com/resource-manager/docs/managing-notification-contacts).
     JobNotificationEmails job_notification_emails = 8;
 
     // Enable Stackdriver metric dlp.googleapis.com/finding_count.
@@ -3379,6 +3753,34 @@ message Action {
   }
 }
 
+// User specified templates and configs for how to deidentify structured,
+// unstructures, and image files. User must provide either a unstructured
+// deidentify template or at least one redact image config.
+message TransformationConfig {
+  // De-identify template.
+  // If this template is specified, it will serve as the default de-identify
+  // template. This template cannot contain `record_transformations` since it
+  // can be used for unstructured content such as free-form text files. If this
+  // template is not set, a default `ReplaceWithInfoTypeConfig` will be used to
+  // de-identify unstructured content.
+  string deidentify_template = 1;
+
+  // Structured de-identify template.
+  // If this template is specified, it will serve as the de-identify template
+  // for structured content such as delimited files and tables. If this template
+  // is not set but the `deidentify_template` is set, then `deidentify_template`
+  // will also apply to the structured content. If neither template is set, a
+  // default `ReplaceWithInfoTypeConfig` will be used to de-identify structured
+  // content.
+  string structured_deidentify_template = 2;
+
+  // Image redact template.
+  // If this template is specified, it will serve as the de-identify template
+  // for images. If this template is not set, all findings in the image will be
+  // redacted with a black box.
+  string image_redact_template = 4;
+}
+
 // Request message for CreateInspectTemplate.
 message CreateInspectTemplateRequest {
   // Required. Parent resource name.
@@ -3486,7 +3888,7 @@ message ListInspectTemplatesRequest {
   // to `ListInspectTemplates`.
   string page_token = 2;
 
-  // Size of the page, can be limited by server. If zero server returns
+  // Size of the page, can be limited by the server. If zero server returns
   // a page of max size 100.
   int32 page_size = 3;
 
@@ -3499,10 +3901,10 @@ message ListInspectTemplatesRequest {
   //
   // Supported fields are:
   //
-  // - `create_time`: corresponds to time the template was created.
-  // - `update_time`: corresponds to time the template was last updated.
-  // - `name`: corresponds to template's name.
-  // - `display_name`: corresponds to template's display name.
+  // - `create_time`: corresponds to the time the template was created.
+  // - `update_time`: corresponds to the time the template was last updated.
+  // - `name`: corresponds to the template's name.
+  // - `display_name`: corresponds to the template's display name.
   string order_by = 4;
 
   // Deprecated. This field has no effect.
@@ -3701,11 +4103,11 @@ message ListJobTriggersRequest {
   //
   // Supported fields are:
   //
-  // - `create_time`: corresponds to time the JobTrigger was created.
-  // - `update_time`: corresponds to time the JobTrigger was last updated.
+  // - `create_time`: corresponds to the time the JobTrigger was created.
+  // - `update_time`: corresponds to the time the JobTrigger was last updated.
   // - `last_run_time`: corresponds to the last time the JobTrigger ran.
-  // - `name`: corresponds to JobTrigger's name.
-  // - `display_name`: corresponds to JobTrigger's display name.
+  // - `name`: corresponds to the JobTrigger's name.
+  // - `display_name`: corresponds to the JobTrigger's display name.
   // - `status`: corresponds to JobTrigger's status.
   string order_by = 4;
 
@@ -3932,7 +4334,7 @@ message DlpJob {
     // The job is no longer running.
     DONE = 3;
 
-    // The job was canceled before it could complete.
+    // The job was canceled before it could be completed.
     CANCELED = 4;
 
     // The job had an error and did not complete.
@@ -3940,7 +4342,7 @@ message DlpJob {
 
     // The job is currently accepting findings via hybridInspect.
     // A hybrid job in ACTIVE state may continue to have findings added to it
-    // through calling of hybridInspect. After the job has finished no more
+    // through the calling of hybridInspect. After the job has finished no more
     // calls to hybridInspect may be made. ACTIVE jobs can transition to DONE.
     ACTIVE = 6;
   }
@@ -4026,13 +4428,13 @@ message ListDlpJobsRequest {
   // * Supported fields/values for inspect jobs:
   //     - `state` - PENDING|RUNNING|CANCELED|FINISHED|FAILED
   //     - `inspected_storage` - DATASTORE|CLOUD_STORAGE|BIGQUERY
-  //     - `trigger_name` - The resource name of the trigger that created job.
-  //     - 'end_time` - Corresponds to time the job finished.
-  //     - 'start_time` - Corresponds to time the job finished.
+  //     - `trigger_name` - The name of the trigger that created the job.
+  //     - 'end_time` - Corresponds to the time the job finished.
+  //     - 'start_time` - Corresponds to the time the job finished.
   // * Supported fields for risk analysis jobs:
   //     - `state` - RUNNING|CANCELED|FINISHED|FAILED
-  //     - 'end_time` - Corresponds to time the job finished.
-  //     - 'start_time` - Corresponds to time the job finished.
+  //     - 'end_time` - Corresponds to the time the job finished.
+  //     - 'start_time` - Corresponds to the time the job finished.
   // * The operator must be `=` or `!=`.
   //
   // Examples:
@@ -4063,9 +4465,9 @@ message ListDlpJobsRequest {
   //
   // Supported fields are:
   //
-  // - `create_time`: corresponds to time the job was created.
-  // - `end_time`: corresponds to time the job ended.
-  // - `name`: corresponds to job's name.
+  // - `create_time`: corresponds to the time the job was created.
+  // - `end_time`: corresponds to the time the job ended.
+  // - `name`: corresponds to the job's name.
   // - `state`: corresponds to `state`
   string order_by = 6;
 
@@ -4222,7 +4624,7 @@ message ListDeidentifyTemplatesRequest {
   // to `ListDeidentifyTemplates`.
   string page_token = 2;
 
-  // Size of the page, can be limited by server. If zero server returns
+  // Size of the page, can be limited by the server. If zero server returns
   // a page of max size 100.
   int32 page_size = 3;
 
@@ -4235,10 +4637,10 @@ message ListDeidentifyTemplatesRequest {
   //
   // Supported fields are:
   //
-  // - `create_time`: corresponds to time the template was created.
-  // - `update_time`: corresponds to time the template was last updated.
-  // - `name`: corresponds to template's name.
-  // - `display_name`: corresponds to template's display name.
+  // - `create_time`: corresponds to the time the template was created.
+  // - `update_time`: corresponds to the time the template was last updated.
+  // - `name`: corresponds to the template's name.
+  // - `display_name`: corresponds to the template's display name.
   string order_by = 4;
 
   // Deprecated. This field has no effect.
@@ -4272,11 +4674,11 @@ message DeleteDeidentifyTemplateRequest {
 // Configuration for a custom dictionary created from a data source of any size
 // up to the maximum size defined in the
 // [limits](https://cloud.google.com/dlp/limits) page. The artifacts of
-// dictionary creation are stored in the specified Google Cloud Storage
+// dictionary creation are stored in the specified Cloud Storage
 // location. Consider using `CustomInfoType.Dictionary` for smaller dictionaries
 // that satisfy the size requirements.
 message LargeCustomDictionaryConfig {
-  // Location to store dictionary artifacts in Google Cloud Storage. These files
+  // Location to store dictionary artifacts in Cloud Storage. These files
   // will only be accessible by project owners and the DLP API. If any of these
   // artifacts are modified, the dictionary is considered invalid and can no
   // longer be used.
@@ -4349,7 +4751,7 @@ message StoredInfoTypeVersion {
   // appearing first.
   //
   // For example, some of the data for stored custom dictionaries is put in
-  // the user's Google Cloud Storage bucket, and if this data is modified or
+  // the user's Cloud Storage bucket, and if this data is modified or
   // deleted by the user or another system, the dictionary becomes invalid.
   //
   // If any errors occur, fix the problem indicated by the error message and
@@ -4472,10 +4874,6 @@ message ListStoredInfoTypesRequest {
   //   `projects/`<var>PROJECT_ID</var>`/locations/`<var>LOCATION_ID</var>
   // + Projects scope, no location specified (defaults to global):<br/>
   //   `projects/`<var>PROJECT_ID</var>
-  // + Organizations scope, location specified:<br/>
-  //   `organizations/`<var>ORG_ID</var>`/locations/`<var>LOCATION_ID</var>
-  // + Organizations scope, no location specified (defaults to global):<br/>
-  //   `organizations/`<var>ORG_ID</var>
   //
   // The following example `parent` string specifies a parent project with the
   // identifier `example-project`, and specifies the `europe-west3` location
@@ -4493,7 +4891,7 @@ message ListStoredInfoTypesRequest {
   // to `ListStoredInfoTypes`.
   string page_token = 2;
 
-  // Size of the page, can be limited by server. If zero server returns
+  // Size of the page, can be limited by the server. If zero server returns
   // a page of max size 100.
   int32 page_size = 3;
 
@@ -4506,7 +4904,7 @@ message ListStoredInfoTypesRequest {
   //
   // Supported fields are:
   //
-  // - `create_time`: corresponds to time the most recent version of the
+  // - `create_time`: corresponds to the time the most recent version of the
   // resource was created.
   // - `state`: corresponds to the state of the resource.
   // - `name`: corresponds to resource name.
@@ -4750,33 +5148,7 @@ enum StoredInfoTypeState {
 }
 
 // Score is a summary of all elements in the data profile.
-// A higher number means more sensitive.
-message SensitivityScore {
-  // Various score levels for resources.
-  enum SensitivityScoreLevel {
-    // Unused.
-    SENSITIVITY_SCORE_UNSPECIFIED = 0;
-
-    // No sensitive information detected. Limited access.
-    SENSITIVITY_LOW = 10;
-
-    // Medium risk - PII, potentially sensitive data, or fields with free-text
-    // data that are at higher risk of having intermittent sensitive data.
-    // Consider limiting access.
-    SENSITIVITY_MODERATE = 20;
-
-    // High risk – SPII may be present. Exfiltration of data may lead to user
-    // data loss. Re-identification of users may be possible. Consider limiting
-    // usage and or removing SPII.
-    SENSITIVITY_HIGH = 30;
-  }
-
-  // The score applied to the resource.
-  SensitivityScoreLevel score = 1;
-}
-
-// Score is a summary of all elements in the data profile.
-// A higher number means more risky.
+// A higher number means more risk.
 message DataRiskLevel {
   // Various score levels for resources.
   enum DataRiskLevelScore {
@@ -4789,8 +5161,8 @@ message DataRiskLevel {
     RISK_LOW = 10;
 
     // Medium risk - Sensitive data may be present but additional access or fine
-    // grain access restrictions appears to be present.  Consider limiting
-    // access even further or transforming data to mask.
+    // grain access restrictions appear to be present.  Consider limiting
+    // access even further or transform data to mask.
     RISK_MODERATE = 20;
 
     // High risk – SPII may be present. Access controls may include public
@@ -4905,6 +5277,7 @@ message TableDataProfile {
   int64 table_size_bytes = 12;
 
   // Number of rows in the table when the profile was generated.
+  // This will not be populated for BigLake tables.
   int64 row_count = 13;
 
   // How the table is encrypted.
@@ -4947,15 +5320,22 @@ enum EncryptionStatus {
 message InfoTypeSummary {
   // The infoType.
   InfoType info_type = 1;
+
+  // Not populated for predicted infotypes.
+  int32 estimated_prevalence = 2 [deprecated = true];
 }
 
 // Infotype details for other infoTypes found within a column.
 message OtherInfoTypeSummary {
   // The other infoType.
   InfoType info_type = 1;
+
+  // Approximate percentage of non-null rows that contained data detected by
+  // this infotype.
+  int32 estimated_prevalence = 2;
 }
 
-// A condition for determining whether a PubSub should be triggered.
+// A condition for determining whether a Pub/Sub should be triggered.
 message DataProfilePubSubCondition {
   // Various score levels for resources.
   enum ProfileScoreBucket {
@@ -5006,10 +5386,9 @@ message DataProfilePubSubCondition {
   PubSubExpressions expressions = 1;
 }
 
-// The message that will be published to a Pub/Sub topic.
+// Pub/Sub topic message for a DataProfileAction.PubSubNotification event.
 // To receive a message of protocol buffer schema type, convert the message data
 // to an object of this proto class.
-// https://cloud.google.com/pubsub/docs/samples/pubsub-subscribe-proto-messages
 message DataProfilePubSubMessage {
   // If `DetailLevel` is `TABLE_PROFILE` this will be fully populated.
   // Otherwise, if `DetailLevel` is `RESOURCE_NAME`, then only `name` and