xref: /aosp_15_r20/external/googleapis/google/cloud/accessapproval/v1/accessapproval.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2022 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.accessapproval.v1;
18
19import "google/api/annotations.proto";
20import "google/api/client.proto";
21import "google/api/field_behavior.proto";
22import "google/api/resource.proto";
23import "google/protobuf/empty.proto";
24import "google/protobuf/field_mask.proto";
25import "google/protobuf/timestamp.proto";
26
27option csharp_namespace = "Google.Cloud.AccessApproval.V1";
28option go_package = "cloud.google.com/go/accessapproval/apiv1/accessapprovalpb;accessapprovalpb";
29option java_multiple_files = true;
30option java_outer_classname = "AccessApprovalProto";
31option java_package = "com.google.cloud.accessapproval.v1";
32option php_namespace = "Google\\Cloud\\AccessApproval\\V1";
33option ruby_package = "Google::Cloud::AccessApproval::V1";
34
35// This API allows a customer to manage accesses to cloud resources by
36// Google personnel. It defines the following resource model:
37//
38// - The API has a collection of
39//   [ApprovalRequest][google.cloud.accessapproval.v1.ApprovalRequest]
40//   resources, named `approvalRequests/{approval_request}`
41// - The API has top-level settings per Project/Folder/Organization, named
42//   `accessApprovalSettings`
43//
44// The service also periodically emails a list of recipients, defined at the
45// Project/Folder/Organization level in the accessApprovalSettings, when there
46// is a pending ApprovalRequest for them to act on. The ApprovalRequests can
47// also optionally be published to a Pub/Sub topic owned by the customer
48// (contact support if you would like to enable Pub/Sub notifications).
49//
50// ApprovalRequests can be approved or dismissed. Google personnel can only
51// access the indicated resource or resources if the request is approved
52// (subject to some exclusions:
53// https://cloud.google.com/access-approval/docs/overview#exclusions).
54//
55// Note: Using Access Approval functionality will mean that Google may not be
56// able to meet the SLAs for your chosen products, as any support response times
57// may be dramatically increased. As such the SLAs do not apply to any service
58// disruption to the extent impacted by Customer's use of Access Approval. Do
59// not enable Access Approval for projects where you may require high service
60// availability and rapid response by Google Cloud Support.
61//
62// After a request is approved or dismissed, no further action may be taken on
63// it. Requests with the requested_expiration in the past or with no activity
64// for 14 days are considered dismissed. When an approval expires, the request
65// is considered dismissed.
66//
67// If a request is not approved or dismissed, we call it pending.
68service AccessApproval {
69  option (google.api.default_host) = "accessapproval.googleapis.com";
70  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
71
72  // Lists approval requests associated with a project, folder, or organization.
73  // Approval requests can be filtered by state (pending, active, dismissed).
74  // The order is reverse chronological.
75  rpc ListApprovalRequests(ListApprovalRequestsMessage) returns (ListApprovalRequestsResponse) {
76    option (google.api.http) = {
77      get: "/v1/{parent=projects/*}/approvalRequests"
78      additional_bindings {
79        get: "/v1/{parent=folders/*}/approvalRequests"
80      }
81      additional_bindings {
82        get: "/v1/{parent=organizations/*}/approvalRequests"
83      }
84    };
85    option (google.api.method_signature) = "parent";
86  }
87
88  // Gets an approval request. Returns NOT_FOUND if the request does not exist.
89  rpc GetApprovalRequest(GetApprovalRequestMessage) returns (ApprovalRequest) {
90    option (google.api.http) = {
91      get: "/v1/{name=projects/*/approvalRequests/*}"
92      additional_bindings {
93        get: "/v1/{name=folders/*/approvalRequests/*}"
94      }
95      additional_bindings {
96        get: "/v1/{name=organizations/*/approvalRequests/*}"
97      }
98    };
99    option (google.api.method_signature) = "name";
100  }
101
102  // Approves a request and returns the updated ApprovalRequest.
103  //
104  // Returns NOT_FOUND if the request does not exist. Returns
105  // FAILED_PRECONDITION if the request exists but is not in a pending state.
106  rpc ApproveApprovalRequest(ApproveApprovalRequestMessage) returns (ApprovalRequest) {
107    option (google.api.http) = {
108      post: "/v1/{name=projects/*/approvalRequests/*}:approve"
109      body: "*"
110      additional_bindings {
111        post: "/v1/{name=folders/*/approvalRequests/*}:approve"
112        body: "*"
113      }
114      additional_bindings {
115        post: "/v1/{name=organizations/*/approvalRequests/*}:approve"
116        body: "*"
117      }
118    };
119  }
120
121  // Dismisses a request. Returns the updated ApprovalRequest.
122  //
123  // NOTE: This does not deny access to the resource if another request has been
124  // made and approved. It is equivalent in effect to ignoring the request
125  // altogether.
126  //
127  // Returns NOT_FOUND if the request does not exist.
128  //
129  // Returns FAILED_PRECONDITION if the request exists but is not in a pending
130  // state.
131  rpc DismissApprovalRequest(DismissApprovalRequestMessage) returns (ApprovalRequest) {
132    option (google.api.http) = {
133      post: "/v1/{name=projects/*/approvalRequests/*}:dismiss"
134      body: "*"
135      additional_bindings {
136        post: "/v1/{name=folders/*/approvalRequests/*}:dismiss"
137        body: "*"
138      }
139      additional_bindings {
140        post: "/v1/{name=organizations/*/approvalRequests/*}:dismiss"
141        body: "*"
142      }
143    };
144  }
145
146  // Invalidates an existing ApprovalRequest. Returns the updated
147  // ApprovalRequest.
148  //
149  // NOTE: This does not deny access to the resource if another request has been
150  // made and approved. It only invalidates a single approval.
151  //
152  // Returns FAILED_PRECONDITION if the request exists but is not in an approved
153  // state.
154  rpc InvalidateApprovalRequest(InvalidateApprovalRequestMessage) returns (ApprovalRequest) {
155    option (google.api.http) = {
156      post: "/v1/{name=projects/*/approvalRequests/*}:invalidate"
157      body: "*"
158      additional_bindings {
159        post: "/v1/{name=folders/*/approvalRequests/*}:invalidate"
160        body: "*"
161      }
162      additional_bindings {
163        post: "/v1/{name=organizations/*/approvalRequests/*}:invalidate"
164        body: "*"
165      }
166    };
167  }
168
169  // Gets the settings associated with a project, folder, or organization.
170  rpc GetAccessApprovalSettings(GetAccessApprovalSettingsMessage) returns (AccessApprovalSettings) {
171    option (google.api.http) = {
172      get: "/v1/{name=projects/*/accessApprovalSettings}"
173      additional_bindings {
174        get: "/v1/{name=folders/*/accessApprovalSettings}"
175      }
176      additional_bindings {
177        get: "/v1/{name=organizations/*/accessApprovalSettings}"
178      }
179    };
180    option (google.api.method_signature) = "name";
181  }
182
183  // Updates the settings associated with a project, folder, or organization.
184  // Settings to update are determined by the value of field_mask.
185  rpc UpdateAccessApprovalSettings(UpdateAccessApprovalSettingsMessage) returns (AccessApprovalSettings) {
186    option (google.api.http) = {
187      patch: "/v1/{settings.name=projects/*/accessApprovalSettings}"
188      body: "settings"
189      additional_bindings {
190        patch: "/v1/{settings.name=folders/*/accessApprovalSettings}"
191        body: "settings"
192      }
193      additional_bindings {
194        patch: "/v1/{settings.name=organizations/*/accessApprovalSettings}"
195        body: "settings"
196      }
197    };
198    option (google.api.method_signature) = "settings,update_mask";
199  }
200
201  // Deletes the settings associated with a project, folder, or organization.
202  // This will have the effect of disabling Access Approval for the project,
203  // folder, or organization, but only if all ancestors also have Access
204  // Approval disabled. If Access Approval is enabled at a higher level of the
205  // hierarchy, then Access Approval will still be enabled at this level as
206  // the settings are inherited.
207  rpc DeleteAccessApprovalSettings(DeleteAccessApprovalSettingsMessage) returns (google.protobuf.Empty) {
208    option (google.api.http) = {
209      delete: "/v1/{name=projects/*/accessApprovalSettings}"
210      additional_bindings {
211        delete: "/v1/{name=folders/*/accessApprovalSettings}"
212      }
213      additional_bindings {
214        delete: "/v1/{name=organizations/*/accessApprovalSettings}"
215      }
216    };
217    option (google.api.method_signature) = "name";
218  }
219
220  // Retrieves the service account that is used by Access Approval to access KMS
221  // keys for signing approved approval requests.
222  rpc GetAccessApprovalServiceAccount(GetAccessApprovalServiceAccountMessage) returns (AccessApprovalServiceAccount) {
223    option (google.api.http) = {
224      get: "/v1/{name=projects/*/serviceAccount}"
225      additional_bindings {
226        get: "/v1/{name=folders/*/serviceAccount}"
227      }
228      additional_bindings {
229        get: "/v1/{name=organizations/*/serviceAccount}"
230      }
231    };
232    option (google.api.method_signature) = "name";
233  }
234}
235
236// Home office and physical location of the principal.
237message AccessLocations {
238  // The "home office" location of the principal. A two-letter country code
239  // (ISO 3166-1 alpha-2), such as "US", "DE" or "GB" or a region code. In some
240  // limited situations Google systems may refer refer to a region code instead
241  // of a country code.
242  // Possible Region Codes:
243  //
244  //   * ASI: Asia
245  //   * EUR: Europe
246  //   * OCE: Oceania
247  //   * AFR: Africa
248  //   * NAM: North America
249  //   * SAM: South America
250  //   * ANT: Antarctica
251  //   * ANY: Any location
252  string principal_office_country = 1;
253
254  // Physical location of the principal at the time of the access. A
255  // two-letter country code (ISO 3166-1 alpha-2), such as "US", "DE" or "GB" or
256  // a region code. In some limited situations Google systems may refer refer to
257  // a region code instead of a country code.
258  // Possible Region Codes:
259  //
260  //   * ASI: Asia
261  //   * EUR: Europe
262  //   * OCE: Oceania
263  //   * AFR: Africa
264  //   * NAM: North America
265  //   * SAM: South America
266  //   * ANT: Antarctica
267  //   * ANY: Any location
268  string principal_physical_location_country = 2;
269}
270
271message AccessReason {
272  // Type of access justification.
273  enum Type {
274    // Default value for proto, shouldn't be used.
275    TYPE_UNSPECIFIED = 0;
276
277    // Customer made a request or raised an issue that required the principal to
278    // access customer data. `detail` is of the form ("#####" is the issue ID):
279    //
280    //   * "Feedback Report: #####"
281    //   * "Case Number: #####"
282    //   * "Case ID: #####"
283    //   * "E-PIN Reference: #####"
284    //   * "Google-#####"
285    //   * "T-#####"
286    CUSTOMER_INITIATED_SUPPORT = 1;
287
288    // The principal accessed customer data in order to diagnose or resolve a
289    // suspected issue in services. Often this access is used to confirm that
290    // customers are not affected by a suspected service issue or to remediate a
291    // reversible system issue.
292    GOOGLE_INITIATED_SERVICE = 2;
293
294    // Google initiated service for security, fraud, abuse, or compliance
295    // purposes.
296    GOOGLE_INITIATED_REVIEW = 3;
297
298    // The principal was compelled to access customer data in order to respond
299    // to a legal third party data request or process, including legal processes
300    // from customers themselves.
301    THIRD_PARTY_DATA_REQUEST = 4;
302
303    // The principal accessed customer data in order to diagnose or resolve a
304    // suspected issue in services or a known outage.
305    GOOGLE_RESPONSE_TO_PRODUCTION_ALERT = 5;
306  }
307
308  // Type of access justification.
309  Type type = 1;
310
311  // More detail about certain reason types. See comments for each type above.
312  string detail = 2;
313}
314
315// Information about the digital signature of the resource.
316message SignatureInfo {
317  // The digital signature.
318  bytes signature = 1;
319
320  // How this signature may be verified.
321  oneof verification_info {
322    // The public key for the Google default signing, encoded in PEM format. The
323    // signature was created using a private key which may be verified using
324    // this public key.
325    string google_public_key_pem = 2;
326
327    // The resource name of the customer CryptoKeyVersion used for signing.
328    string customer_kms_key_version = 3;
329  }
330}
331
332// A decision that has been made to approve access to a resource.
333message ApproveDecision {
334  // The time at which approval was granted.
335  google.protobuf.Timestamp approve_time = 1;
336
337  // The time at which the approval expires.
338  google.protobuf.Timestamp expire_time = 2;
339
340  // If set, denotes the timestamp at which the approval is invalidated.
341  google.protobuf.Timestamp invalidate_time = 3;
342
343  // The signature for the ApprovalRequest and details on how it was signed.
344  SignatureInfo signature_info = 4;
345
346  // True when the request has been auto-approved.
347  bool auto_approved = 5;
348}
349
350// A decision that has been made to dismiss an approval request.
351message DismissDecision {
352  // The time at which the approval request was dismissed.
353  google.protobuf.Timestamp dismiss_time = 1;
354
355  // This field will be true if the ApprovalRequest was implicitly dismissed due
356  // to inaction by the access approval approvers (the request is not acted
357  // on by the approvers before the exiration time).
358  bool implicit = 2;
359}
360
361// The properties associated with the resource of the request.
362message ResourceProperties {
363  // Whether an approval will exclude the descendants of the resource being
364  // requested.
365  bool excludes_descendants = 1;
366}
367
368// A request for the customer to approve access to a resource.
369message ApprovalRequest {
370  option (google.api.resource) = {
371    type: "accessapproval.googleapis.com/ApprovalRequest"
372    pattern: "projects/{project}/approvalRequests/{approval_request}"
373    pattern: "folders/{folder}/approvalRequests/{approval_request}"
374    pattern: "organizations/{organization}/approvalRequests/{approval_request}"
375  };
376
377  // The resource name of the request. Format is
378  // "{projects|folders|organizations}/{id}/approvalRequests/{approval_request}".
379  string name = 1;
380
381  // The resource for which approval is being requested. The format of the
382  // resource name is defined at
383  // https://cloud.google.com/apis/design/resource_names. The resource name here
384  // may either be a "full" resource name (e.g.
385  // "//library.googleapis.com/shelves/shelf1/books/book2") or a "relative"
386  // resource name (e.g. "shelves/shelf1/books/book2") as described in the
387  // resource name specification.
388  string requested_resource_name = 2;
389
390  // Properties related to the resource represented by requested_resource_name.
391  ResourceProperties requested_resource_properties = 9;
392
393  // The justification for which approval is being requested.
394  AccessReason requested_reason = 3;
395
396  // The locations for which approval is being requested.
397  AccessLocations requested_locations = 4;
398
399  // The time at which approval was requested.
400  google.protobuf.Timestamp request_time = 5;
401
402  // The requested expiration for the approval. If the request is approved,
403  // access will be granted from the time of approval until the expiration time.
404  google.protobuf.Timestamp requested_expiration = 6;
405
406  // The current decision on the approval request.
407  oneof decision {
408    // Access was approved.
409    ApproveDecision approve = 7;
410
411    // The request was dismissed.
412    DismissDecision dismiss = 8;
413  }
414}
415
416// Represents the type of enrollment for a given service to Access Approval.
417enum EnrollmentLevel {
418  // Default value for proto, shouldn't be used.
419  ENROLLMENT_LEVEL_UNSPECIFIED = 0;
420
421  // Service is enrolled in Access Approval for all requests
422  BLOCK_ALL = 1;
423}
424
425// Represents the enrollment of a cloud resource into a specific service.
426message EnrolledService {
427  // The product for which Access Approval will be enrolled. Allowed values are
428  // listed below (case-sensitive):
429  //
430  //   * all
431  //   * GA
432  //   * App Engine
433  //   * BigQuery
434  //   * Cloud Bigtable
435  //   * Cloud Key Management Service
436  //   * Compute Engine
437  //   * Cloud Dataflow
438  //   * Cloud Dataproc
439  //   * Cloud DLP
440  //   * Cloud EKM
441  //   * Cloud HSM
442  //   * Cloud Identity and Access Management
443  //   * Cloud Logging
444  //   * Cloud Pub/Sub
445  //   * Cloud Spanner
446  //   * Cloud SQL
447  //   * Cloud Storage
448  //   * Google Kubernetes Engine
449  //   * Organization Policy Serivice
450  //   * Persistent Disk
451  //   * Resource Manager
452  //   * Secret Manager
453  //   * Speaker ID
454  //
455  // Note: These values are supported as input for legacy purposes, but will not
456  // be returned from the API.
457  //
458  //   * all
459  //   * ga-only
460  //   * appengine.googleapis.com
461  //   * bigquery.googleapis.com
462  //   * bigtable.googleapis.com
463  //   * container.googleapis.com
464  //   * cloudkms.googleapis.com
465  //   * cloudresourcemanager.googleapis.com
466  //   * cloudsql.googleapis.com
467  //   * compute.googleapis.com
468  //   * dataflow.googleapis.com
469  //   * dataproc.googleapis.com
470  //   * dlp.googleapis.com
471  //   * iam.googleapis.com
472  //   * logging.googleapis.com
473  //   * orgpolicy.googleapis.com
474  //   * pubsub.googleapis.com
475  //   * spanner.googleapis.com
476  //   * secretmanager.googleapis.com
477  //   * speakerid.googleapis.com
478  //   * storage.googleapis.com
479  //
480  // Calls to UpdateAccessApprovalSettings using 'all' or any of the
481  // XXX.googleapis.com will be translated to the associated product name
482  // ('all', 'App Engine', etc.).
483  //
484  // Note: 'all' will enroll the resource in all products supported at both 'GA'
485  // and 'Preview' levels.
486  //
487  // More information about levels of support is available at
488  // https://cloud.google.com/access-approval/docs/supported-services
489  string cloud_product = 1;
490
491  // The enrollment level of the service.
492  EnrollmentLevel enrollment_level = 2;
493}
494
495// Settings on a Project/Folder/Organization related to Access Approval.
496message AccessApprovalSettings {
497  option (google.api.resource) = {
498    type: "accessapproval.googleapis.com/AccessApprovalSettings"
499    pattern: "projects/{project}/accessApprovalSettings"
500    pattern: "folders/{folder}/accessApprovalSettings"
501    pattern: "organizations/{organization}/accessApprovalSettings"
502  };
503
504  // The resource name of the settings. Format is one of:
505  //
506  //   * "projects/{project}/accessApprovalSettings"
507  //   * "folders/{folder}/accessApprovalSettings"
508  //   * "organizations/{organization}/accessApprovalSettings"
509  string name = 1 [(google.api.resource_reference) = {
510                     type: "accessapproval.googleapis.com/AccessApprovalSettings"
511                   }];
512
513  // A list of email addresses to which notifications relating to approval
514  // requests should be sent. Notifications relating to a resource will be sent
515  // to all emails in the settings of ancestor resources of that resource. A
516  // maximum of 50 email addresses are allowed.
517  repeated string notification_emails = 2;
518
519  // A list of Google Cloud Services for which the given resource has Access
520  // Approval enrolled. Access requests for the resource given by name against
521  // any of these services contained here will be required to have explicit
522  // approval. If name refers to an organization, enrollment can be done for
523  // individual services. If name refers to a folder or project, enrollment can
524  // only be done on an all or nothing basis.
525  //
526  // If a cloud_product is repeated in this list, the first entry will be
527  // honored and all following entries will be discarded. A maximum of 10
528  // enrolled services will be enforced, to be expanded as the set of supported
529  // services is expanded.
530  repeated EnrolledService enrolled_services = 3;
531
532  // Output only. This field is read only (not settable via
533  // UpdateAccessApprovalSettings method). If the field is true, that
534  // indicates that at least one service is enrolled for Access Approval in one
535  // or more ancestors of the Project or Folder (this field will always be
536  // unset for the organization since organizations do not have ancestors).
537  bool enrolled_ancestor = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
538
539  // The asymmetric crypto key version to use for signing approval requests.
540  // Empty active_key_version indicates that a Google-managed key should be used
541  // for signing. This property will be ignored if set by an ancestor of this
542  // resource, and new non-empty values may not be set.
543  string active_key_version = 6;
544
545  // Output only. This field is read only (not settable via UpdateAccessApprovalSettings
546  // method). If the field is true, that indicates that an ancestor of this
547  // Project or Folder has set active_key_version (this field will always be
548  // unset for the organization since organizations do not have ancestors).
549  bool ancestor_has_active_key_version = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
550
551  // Output only. This field is read only (not settable via UpdateAccessApprovalSettings
552  // method). If the field is true, that indicates that there is some
553  // configuration issue with the active_key_version configured at this level in
554  // the resource hierarchy (e.g. it doesn't exist or the Access Approval
555  // service account doesn't have the correct permissions on it, etc.) This key
556  // version is not necessarily the effective key version at this level, as key
557  // versions are inherited top-down.
558  bool invalid_key_version = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
559}
560
561// Access Approval service account related to a project/folder/organization.
562message AccessApprovalServiceAccount {
563  option (google.api.resource) = {
564    type: "accessapproval.googleapis.com/AccessApprovalServiceAccount"
565    pattern: "projects/{project}/serviceAccount"
566    pattern: "folders/{folder}/serviceAccount"
567    pattern: "organizations/{organization}/serviceAccount"
568  };
569
570  // The resource name of the Access Approval service account. Format is one of:
571  //
572  //   * "projects/{project}/serviceAccount"
573  //   * "folders/{folder}/serviceAccount"
574  //   * "organizations/{organization}/serviceAccount"
575  string name = 1 [(google.api.resource_reference) = {
576                     type: "accessapproval.googleapis.com/AccessApprovalServiceAccount"
577                   }];
578
579  // Email address of the service account.
580  string account_email = 2;
581}
582
583// Request to list approval requests.
584message ListApprovalRequestsMessage {
585  // The parent resource. This may be "projects/{project}",
586  // "folders/{folder}", or "organizations/{organization}".
587  string parent = 1 [(google.api.resource_reference) = {
588                       child_type: "accessapproval.googleapis.com/ApprovalRequest"
589                     }];
590
591  // A filter on the type of approval requests to retrieve. Must be one of the
592  // following values:
593  //
594  //   * [not set]: Requests that are pending or have active approvals.
595  //   * ALL: All requests.
596  //   * PENDING: Only pending requests.
597  //   * ACTIVE: Only active (i.e. currently approved) requests.
598  //   * DISMISSED: Only requests that have been dismissed, or requests that
599  //     are not approved and past expiration.
600  //   * EXPIRED: Only requests that have been approved, and the approval has
601  //     expired.
602  //   * HISTORY: Active, dismissed and expired requests.
603  string filter = 2;
604
605  // Requested page size.
606  int32 page_size = 3;
607
608  // A token identifying the page of results to return.
609  string page_token = 4;
610}
611
612// Response to listing of ApprovalRequest objects.
613message ListApprovalRequestsResponse {
614  // Approval request details.
615  repeated ApprovalRequest approval_requests = 1;
616
617  // Token to retrieve the next page of results, or empty if there are no more.
618  string next_page_token = 2;
619}
620
621// Request to get an approval request.
622message GetApprovalRequestMessage {
623  // The name of the approval request to retrieve.
624  // Format:
625  // "{projects|folders|organizations}/{id}/approvalRequests/{approval_request}"
626  string name = 1 [(google.api.resource_reference) = {
627                     type: "accessapproval.googleapis.com/ApprovalRequest"
628                   }];
629}
630
631// Request to approve an ApprovalRequest.
632message ApproveApprovalRequestMessage {
633  // Name of the approval request to approve.
634  string name = 1 [(google.api.resource_reference) = {
635                     type: "accessapproval.googleapis.com/ApprovalRequest"
636                   }];
637
638  // The expiration time of this approval.
639  google.protobuf.Timestamp expire_time = 2;
640}
641
642// Request to dismiss an approval request.
643message DismissApprovalRequestMessage {
644  // Name of the ApprovalRequest to dismiss.
645  string name = 1 [(google.api.resource_reference) = {
646                     type: "accessapproval.googleapis.com/ApprovalRequest"
647                   }];
648}
649
650// Request to invalidate an existing approval.
651message InvalidateApprovalRequestMessage {
652  // Name of the ApprovalRequest to invalidate.
653  string name = 1 [(google.api.resource_reference) = {
654                     type: "accessapproval.googleapis.com/ApprovalRequest"
655                   }];
656}
657
658// Request to get access approval settings.
659message GetAccessApprovalSettingsMessage {
660  // The name of the AccessApprovalSettings to retrieve.
661  // Format: "{projects|folders|organizations}/{id}/accessApprovalSettings"
662  string name = 1 [(google.api.resource_reference) = {
663                     type: "accessapproval.googleapis.com/AccessApprovalSettings"
664                   }];
665}
666
667// Request to update access approval settings.
668message UpdateAccessApprovalSettingsMessage {
669  // The new AccessApprovalSettings.
670  AccessApprovalSettings settings = 1;
671
672  // The update mask applies to the settings. Only the top level fields of
673  // AccessApprovalSettings (notification_emails & enrolled_services) are
674  // supported. For each field, if it is included, the currently stored value
675  // will be entirely overwritten with the value of the field passed in this
676  // request.
677  //
678  // For the `FieldMask` definition, see
679  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
680  // If this field is left unset, only the notification_emails field will be
681  // updated.
682  google.protobuf.FieldMask update_mask = 2;
683}
684
685// Request to delete access approval settings.
686message DeleteAccessApprovalSettingsMessage {
687  // Name of the AccessApprovalSettings to delete.
688  string name = 1 [(google.api.resource_reference) = {
689                     type: "accessapproval.googleapis.com/AccessApprovalSettings"
690                   }];
691}
692
693// Request to get an Access Approval service account.
694message GetAccessApprovalServiceAccountMessage {
695  // Name of the AccessApprovalServiceAccount to retrieve.
696  string name = 1;
697}
698