accessapproval/v1/accessapproval.proto

*d5c09012SAndroid Build Coastguard Worker// Copyright 2022 Google LLC
*d5c09012SAndroid Build Coastguard Worker//
*d5c09012SAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License");
*d5c09012SAndroid Build Coastguard Worker// you may not use this file except in compliance with the License.
*d5c09012SAndroid Build Coastguard Worker// You may obtain a copy of the License at
*d5c09012SAndroid Build Coastguard Worker//
*d5c09012SAndroid Build Coastguard Worker//     http://www.apache.org/licenses/LICENSE-2.0
*d5c09012SAndroid Build Coastguard Worker//
*d5c09012SAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software
*d5c09012SAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS,
*d5c09012SAndroid Build Coastguard Worker// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*d5c09012SAndroid Build Coastguard Worker// See the License for the specific language governing permissions and
*d5c09012SAndroid Build Coastguard Worker// limitations under the License.
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Workersyntax = "proto3";
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Workerpackage google.cloud.accessapproval.v1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Workerimport "google/api/annotations.proto";
*d5c09012SAndroid Build Coastguard Workerimport "google/api/client.proto";
*d5c09012SAndroid Build Coastguard Workerimport "google/api/field_behavior.proto";
*d5c09012SAndroid Build Coastguard Workerimport "google/api/resource.proto";
*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/empty.proto";
*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/field_mask.proto";
*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/timestamp.proto";
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Workeroption csharp_namespace = "Google.Cloud.AccessApproval.V1";
*d5c09012SAndroid Build Coastguard Workeroption go_package = "cloud.google.com/go/accessapproval/apiv1/accessapprovalpb;accessapprovalpb";
*d5c09012SAndroid Build Coastguard Workeroption java_multiple_files = true;
*d5c09012SAndroid Build Coastguard Workeroption java_outer_classname = "AccessApprovalProto";
*d5c09012SAndroid Build Coastguard Workeroption java_package = "com.google.cloud.accessapproval.v1";
*d5c09012SAndroid Build Coastguard Workeroption php_namespace = "Google\\Cloud\\AccessApproval\\V1";
*d5c09012SAndroid Build Coastguard Workeroption ruby_package = "Google::Cloud::AccessApproval::V1";
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// This API allows a customer to manage accesses to cloud resources by
*d5c09012SAndroid Build Coastguard Worker// Google personnel. It defines the following resource model:
*d5c09012SAndroid Build Coastguard Worker//
*d5c09012SAndroid Build Coastguard Worker// - The API has a collection of
*d5c09012SAndroid Build Coastguard Worker//   [ApprovalRequest][google.cloud.accessapproval.v1.ApprovalRequest]
*d5c09012SAndroid Build Coastguard Worker//   resources, named `approvalRequests/{approval_request}`
*d5c09012SAndroid Build Coastguard Worker// - The API has top-level settings per Project/Folder/Organization, named
*d5c09012SAndroid Build Coastguard Worker//   `accessApprovalSettings`
*d5c09012SAndroid Build Coastguard Worker//
*d5c09012SAndroid Build Coastguard Worker// The service also periodically emails a list of recipients, defined at the
*d5c09012SAndroid Build Coastguard Worker// Project/Folder/Organization level in the accessApprovalSettings, when there
*d5c09012SAndroid Build Coastguard Worker// is a pending ApprovalRequest for them to act on. The ApprovalRequests can
*d5c09012SAndroid Build Coastguard Worker// also optionally be published to a Pub/Sub topic owned by the customer
*d5c09012SAndroid Build Coastguard Worker// (contact support if you would like to enable Pub/Sub notifications).
*d5c09012SAndroid Build Coastguard Worker//
*d5c09012SAndroid Build Coastguard Worker// ApprovalRequests can be approved or dismissed. Google personnel can only
*d5c09012SAndroid Build Coastguard Worker// access the indicated resource or resources if the request is approved
*d5c09012SAndroid Build Coastguard Worker// (subject to some exclusions:
*d5c09012SAndroid Build Coastguard Worker// https://cloud.google.com/access-approval/docs/overview#exclusions).
*d5c09012SAndroid Build Coastguard Worker//
*d5c09012SAndroid Build Coastguard Worker// Note: Using Access Approval functionality will mean that Google may not be
*d5c09012SAndroid Build Coastguard Worker// able to meet the SLAs for your chosen products, as any support response times
*d5c09012SAndroid Build Coastguard Worker// may be dramatically increased. As such the SLAs do not apply to any service
*d5c09012SAndroid Build Coastguard Worker// disruption to the extent impacted by Customer's use of Access Approval. Do
*d5c09012SAndroid Build Coastguard Worker// not enable Access Approval for projects where you may require high service
*d5c09012SAndroid Build Coastguard Worker// availability and rapid response by Google Cloud Support.
*d5c09012SAndroid Build Coastguard Worker//
*d5c09012SAndroid Build Coastguard Worker// After a request is approved or dismissed, no further action may be taken on
*d5c09012SAndroid Build Coastguard Worker// it. Requests with the requested_expiration in the past or with no activity
*d5c09012SAndroid Build Coastguard Worker// for 14 days are considered dismissed. When an approval expires, the request
*d5c09012SAndroid Build Coastguard Worker// is considered dismissed.
*d5c09012SAndroid Build Coastguard Worker//
*d5c09012SAndroid Build Coastguard Worker// If a request is not approved or dismissed, we call it pending.
*d5c09012SAndroid Build Coastguard Workerservice AccessApproval {
*d5c09012SAndroid Build Coastguard Worker  option (google.api.default_host) = "accessapproval.googleapis.com";
*d5c09012SAndroid Build Coastguard Worker  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Lists approval requests associated with a project, folder, or organization.
*d5c09012SAndroid Build Coastguard Worker  // Approval requests can be filtered by state (pending, active, dismissed).
*d5c09012SAndroid Build Coastguard Worker  // The order is reverse chronological.
*d5c09012SAndroid Build Coastguard Worker  rpc ListApprovalRequests(ListApprovalRequestsMessage) returns (ListApprovalRequestsResponse) {
*d5c09012SAndroid Build Coastguard Worker    option (google.api.http) = {
*d5c09012SAndroid Build Coastguard Worker      get: "/v1/{parent=projects/*}/approvalRequests"
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        get: "/v1/{parent=folders/*}/approvalRequests"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        get: "/v1/{parent=organizations/*}/approvalRequests"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker    };
*d5c09012SAndroid Build Coastguard Worker    option (google.api.method_signature) = "parent";
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Gets an approval request. Returns NOT_FOUND if the request does not exist.
*d5c09012SAndroid Build Coastguard Worker  rpc GetApprovalRequest(GetApprovalRequestMessage) returns (ApprovalRequest) {
*d5c09012SAndroid Build Coastguard Worker    option (google.api.http) = {
*d5c09012SAndroid Build Coastguard Worker      get: "/v1/{name=projects/*/approvalRequests/*}"
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        get: "/v1/{name=folders/*/approvalRequests/*}"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        get: "/v1/{name=organizations/*/approvalRequests/*}"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker    };
*d5c09012SAndroid Build Coastguard Worker    option (google.api.method_signature) = "name";
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Approves a request and returns the updated ApprovalRequest.
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // Returns NOT_FOUND if the request does not exist. Returns
*d5c09012SAndroid Build Coastguard Worker  // FAILED_PRECONDITION if the request exists but is not in a pending state.
*d5c09012SAndroid Build Coastguard Worker  rpc ApproveApprovalRequest(ApproveApprovalRequestMessage) returns (ApprovalRequest) {
*d5c09012SAndroid Build Coastguard Worker    option (google.api.http) = {
*d5c09012SAndroid Build Coastguard Worker      post: "/v1/{name=projects/*/approvalRequests/*}:approve"
*d5c09012SAndroid Build Coastguard Worker      body: "*"
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        post: "/v1/{name=folders/*/approvalRequests/*}:approve"
*d5c09012SAndroid Build Coastguard Worker        body: "*"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        post: "/v1/{name=organizations/*/approvalRequests/*}:approve"
*d5c09012SAndroid Build Coastguard Worker        body: "*"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker    };
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Dismisses a request. Returns the updated ApprovalRequest.
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // NOTE: This does not deny access to the resource if another request has been
*d5c09012SAndroid Build Coastguard Worker  // made and approved. It is equivalent in effect to ignoring the request
*d5c09012SAndroid Build Coastguard Worker  // altogether.
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // Returns NOT_FOUND if the request does not exist.
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // Returns FAILED_PRECONDITION if the request exists but is not in a pending
*d5c09012SAndroid Build Coastguard Worker  // state.
*d5c09012SAndroid Build Coastguard Worker  rpc DismissApprovalRequest(DismissApprovalRequestMessage) returns (ApprovalRequest) {
*d5c09012SAndroid Build Coastguard Worker    option (google.api.http) = {
*d5c09012SAndroid Build Coastguard Worker      post: "/v1/{name=projects/*/approvalRequests/*}:dismiss"
*d5c09012SAndroid Build Coastguard Worker      body: "*"
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        post: "/v1/{name=folders/*/approvalRequests/*}:dismiss"
*d5c09012SAndroid Build Coastguard Worker        body: "*"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        post: "/v1/{name=organizations/*/approvalRequests/*}:dismiss"
*d5c09012SAndroid Build Coastguard Worker        body: "*"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker    };
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Invalidates an existing ApprovalRequest. Returns the updated
*d5c09012SAndroid Build Coastguard Worker  // ApprovalRequest.
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // NOTE: This does not deny access to the resource if another request has been
*d5c09012SAndroid Build Coastguard Worker  // made and approved. It only invalidates a single approval.
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // Returns FAILED_PRECONDITION if the request exists but is not in an approved
*d5c09012SAndroid Build Coastguard Worker  // state.
*d5c09012SAndroid Build Coastguard Worker  rpc InvalidateApprovalRequest(InvalidateApprovalRequestMessage) returns (ApprovalRequest) {
*d5c09012SAndroid Build Coastguard Worker    option (google.api.http) = {
*d5c09012SAndroid Build Coastguard Worker      post: "/v1/{name=projects/*/approvalRequests/*}:invalidate"
*d5c09012SAndroid Build Coastguard Worker      body: "*"
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        post: "/v1/{name=folders/*/approvalRequests/*}:invalidate"
*d5c09012SAndroid Build Coastguard Worker        body: "*"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        post: "/v1/{name=organizations/*/approvalRequests/*}:invalidate"
*d5c09012SAndroid Build Coastguard Worker        body: "*"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker    };
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Gets the settings associated with a project, folder, or organization.
*d5c09012SAndroid Build Coastguard Worker  rpc GetAccessApprovalSettings(GetAccessApprovalSettingsMessage) returns (AccessApprovalSettings) {
*d5c09012SAndroid Build Coastguard Worker    option (google.api.http) = {
*d5c09012SAndroid Build Coastguard Worker      get: "/v1/{name=projects/*/accessApprovalSettings}"
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        get: "/v1/{name=folders/*/accessApprovalSettings}"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        get: "/v1/{name=organizations/*/accessApprovalSettings}"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker    };
*d5c09012SAndroid Build Coastguard Worker    option (google.api.method_signature) = "name";
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Updates the settings associated with a project, folder, or organization.
*d5c09012SAndroid Build Coastguard Worker  // Settings to update are determined by the value of field_mask.
*d5c09012SAndroid Build Coastguard Worker  rpc UpdateAccessApprovalSettings(UpdateAccessApprovalSettingsMessage) returns (AccessApprovalSettings) {
*d5c09012SAndroid Build Coastguard Worker    option (google.api.http) = {
*d5c09012SAndroid Build Coastguard Worker      patch: "/v1/{settings.name=projects/*/accessApprovalSettings}"
*d5c09012SAndroid Build Coastguard Worker      body: "settings"
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        patch: "/v1/{settings.name=folders/*/accessApprovalSettings}"
*d5c09012SAndroid Build Coastguard Worker        body: "settings"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        patch: "/v1/{settings.name=organizations/*/accessApprovalSettings}"
*d5c09012SAndroid Build Coastguard Worker        body: "settings"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker    };
*d5c09012SAndroid Build Coastguard Worker    option (google.api.method_signature) = "settings,update_mask";
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Deletes the settings associated with a project, folder, or organization.
*d5c09012SAndroid Build Coastguard Worker  // This will have the effect of disabling Access Approval for the project,
*d5c09012SAndroid Build Coastguard Worker  // folder, or organization, but only if all ancestors also have Access
*d5c09012SAndroid Build Coastguard Worker  // Approval disabled. If Access Approval is enabled at a higher level of the
*d5c09012SAndroid Build Coastguard Worker  // hierarchy, then Access Approval will still be enabled at this level as
*d5c09012SAndroid Build Coastguard Worker  // the settings are inherited.
*d5c09012SAndroid Build Coastguard Worker  rpc DeleteAccessApprovalSettings(DeleteAccessApprovalSettingsMessage) returns (google.protobuf.Empty) {
*d5c09012SAndroid Build Coastguard Worker    option (google.api.http) = {
*d5c09012SAndroid Build Coastguard Worker      delete: "/v1/{name=projects/*/accessApprovalSettings}"
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        delete: "/v1/{name=folders/*/accessApprovalSettings}"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        delete: "/v1/{name=organizations/*/accessApprovalSettings}"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker    };
*d5c09012SAndroid Build Coastguard Worker    option (google.api.method_signature) = "name";
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Retrieves the service account that is used by Access Approval to access KMS
*d5c09012SAndroid Build Coastguard Worker  // keys for signing approved approval requests.
*d5c09012SAndroid Build Coastguard Worker  rpc GetAccessApprovalServiceAccount(GetAccessApprovalServiceAccountMessage) returns (AccessApprovalServiceAccount) {
*d5c09012SAndroid Build Coastguard Worker    option (google.api.http) = {
*d5c09012SAndroid Build Coastguard Worker      get: "/v1/{name=projects/*/serviceAccount}"
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        get: "/v1/{name=folders/*/serviceAccount}"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker      additional_bindings {
*d5c09012SAndroid Build Coastguard Worker        get: "/v1/{name=organizations/*/serviceAccount}"
*d5c09012SAndroid Build Coastguard Worker      }
*d5c09012SAndroid Build Coastguard Worker    };
*d5c09012SAndroid Build Coastguard Worker    option (google.api.method_signature) = "name";
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Home office and physical location of the principal.
*d5c09012SAndroid Build Coastguard Workermessage AccessLocations {
*d5c09012SAndroid Build Coastguard Worker  // The "home office" location of the principal. A two-letter country code
*d5c09012SAndroid Build Coastguard Worker  // (ISO 3166-1 alpha-2), such as "US", "DE" or "GB" or a region code. In some
*d5c09012SAndroid Build Coastguard Worker  // limited situations Google systems may refer refer to a region code instead
*d5c09012SAndroid Build Coastguard Worker  // of a country code.
*d5c09012SAndroid Build Coastguard Worker  // Possible Region Codes:
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //   * ASI: Asia
*d5c09012SAndroid Build Coastguard Worker  //   * EUR: Europe
*d5c09012SAndroid Build Coastguard Worker  //   * OCE: Oceania
*d5c09012SAndroid Build Coastguard Worker  //   * AFR: Africa
*d5c09012SAndroid Build Coastguard Worker  //   * NAM: North America
*d5c09012SAndroid Build Coastguard Worker  //   * SAM: South America
*d5c09012SAndroid Build Coastguard Worker  //   * ANT: Antarctica
*d5c09012SAndroid Build Coastguard Worker  //   * ANY: Any location
*d5c09012SAndroid Build Coastguard Worker  string principal_office_country = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Physical location of the principal at the time of the access. A
*d5c09012SAndroid Build Coastguard Worker  // two-letter country code (ISO 3166-1 alpha-2), such as "US", "DE" or "GB" or
*d5c09012SAndroid Build Coastguard Worker  // a region code. In some limited situations Google systems may refer refer to
*d5c09012SAndroid Build Coastguard Worker  // a region code instead of a country code.
*d5c09012SAndroid Build Coastguard Worker  // Possible Region Codes:
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //   * ASI: Asia
*d5c09012SAndroid Build Coastguard Worker  //   * EUR: Europe
*d5c09012SAndroid Build Coastguard Worker  //   * OCE: Oceania
*d5c09012SAndroid Build Coastguard Worker  //   * AFR: Africa
*d5c09012SAndroid Build Coastguard Worker  //   * NAM: North America
*d5c09012SAndroid Build Coastguard Worker  //   * SAM: South America
*d5c09012SAndroid Build Coastguard Worker  //   * ANT: Antarctica
*d5c09012SAndroid Build Coastguard Worker  //   * ANY: Any location
*d5c09012SAndroid Build Coastguard Worker  string principal_physical_location_country = 2;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Workermessage AccessReason {
*d5c09012SAndroid Build Coastguard Worker  // Type of access justification.
*d5c09012SAndroid Build Coastguard Worker  enum Type {
*d5c09012SAndroid Build Coastguard Worker    // Default value for proto, shouldn't be used.
*d5c09012SAndroid Build Coastguard Worker    TYPE_UNSPECIFIED = 0;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker    // Customer made a request or raised an issue that required the principal to
*d5c09012SAndroid Build Coastguard Worker    // access customer data. `detail` is of the form ("#####" is the issue ID):
*d5c09012SAndroid Build Coastguard Worker    //
*d5c09012SAndroid Build Coastguard Worker    //   * "Feedback Report: #####"
*d5c09012SAndroid Build Coastguard Worker    //   * "Case Number: #####"
*d5c09012SAndroid Build Coastguard Worker    //   * "Case ID: #####"
*d5c09012SAndroid Build Coastguard Worker    //   * "E-PIN Reference: #####"
*d5c09012SAndroid Build Coastguard Worker    //   * "Google-#####"
*d5c09012SAndroid Build Coastguard Worker    //   * "T-#####"
*d5c09012SAndroid Build Coastguard Worker    CUSTOMER_INITIATED_SUPPORT = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker    // The principal accessed customer data in order to diagnose or resolve a
*d5c09012SAndroid Build Coastguard Worker    // suspected issue in services. Often this access is used to confirm that
*d5c09012SAndroid Build Coastguard Worker    // customers are not affected by a suspected service issue or to remediate a
*d5c09012SAndroid Build Coastguard Worker    // reversible system issue.
*d5c09012SAndroid Build Coastguard Worker    GOOGLE_INITIATED_SERVICE = 2;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker    // Google initiated service for security, fraud, abuse, or compliance
*d5c09012SAndroid Build Coastguard Worker    // purposes.
*d5c09012SAndroid Build Coastguard Worker    GOOGLE_INITIATED_REVIEW = 3;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker    // The principal was compelled to access customer data in order to respond
*d5c09012SAndroid Build Coastguard Worker    // to a legal third party data request or process, including legal processes
*d5c09012SAndroid Build Coastguard Worker    // from customers themselves.
*d5c09012SAndroid Build Coastguard Worker    THIRD_PARTY_DATA_REQUEST = 4;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker    // The principal accessed customer data in order to diagnose or resolve a
*d5c09012SAndroid Build Coastguard Worker    // suspected issue in services or a known outage.
*d5c09012SAndroid Build Coastguard Worker    GOOGLE_RESPONSE_TO_PRODUCTION_ALERT = 5;
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Type of access justification.
*d5c09012SAndroid Build Coastguard Worker  Type type = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // More detail about certain reason types. See comments for each type above.
*d5c09012SAndroid Build Coastguard Worker  string detail = 2;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Information about the digital signature of the resource.
*d5c09012SAndroid Build Coastguard Workermessage SignatureInfo {
*d5c09012SAndroid Build Coastguard Worker  // The digital signature.
*d5c09012SAndroid Build Coastguard Worker  bytes signature = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // How this signature may be verified.
*d5c09012SAndroid Build Coastguard Worker  oneof verification_info {
*d5c09012SAndroid Build Coastguard Worker    // The public key for the Google default signing, encoded in PEM format. The
*d5c09012SAndroid Build Coastguard Worker    // signature was created using a private key which may be verified using
*d5c09012SAndroid Build Coastguard Worker    // this public key.
*d5c09012SAndroid Build Coastguard Worker    string google_public_key_pem = 2;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker    // The resource name of the customer CryptoKeyVersion used for signing.
*d5c09012SAndroid Build Coastguard Worker    string customer_kms_key_version = 3;
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// A decision that has been made to approve access to a resource.
*d5c09012SAndroid Build Coastguard Workermessage ApproveDecision {
*d5c09012SAndroid Build Coastguard Worker  // The time at which approval was granted.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Timestamp approve_time = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The time at which the approval expires.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Timestamp expire_time = 2;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // If set, denotes the timestamp at which the approval is invalidated.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Timestamp invalidate_time = 3;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The signature for the ApprovalRequest and details on how it was signed.
*d5c09012SAndroid Build Coastguard Worker  SignatureInfo signature_info = 4;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // True when the request has been auto-approved.
*d5c09012SAndroid Build Coastguard Worker  bool auto_approved = 5;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// A decision that has been made to dismiss an approval request.
*d5c09012SAndroid Build Coastguard Workermessage DismissDecision {
*d5c09012SAndroid Build Coastguard Worker  // The time at which the approval request was dismissed.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Timestamp dismiss_time = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // This field will be true if the ApprovalRequest was implicitly dismissed due
*d5c09012SAndroid Build Coastguard Worker  // to inaction by the access approval approvers (the request is not acted
*d5c09012SAndroid Build Coastguard Worker  // on by the approvers before the exiration time).
*d5c09012SAndroid Build Coastguard Worker  bool implicit = 2;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// The properties associated with the resource of the request.
*d5c09012SAndroid Build Coastguard Workermessage ResourceProperties {
*d5c09012SAndroid Build Coastguard Worker  // Whether an approval will exclude the descendants of the resource being
*d5c09012SAndroid Build Coastguard Worker  // requested.
*d5c09012SAndroid Build Coastguard Worker  bool excludes_descendants = 1;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// A request for the customer to approve access to a resource.
*d5c09012SAndroid Build Coastguard Workermessage ApprovalRequest {
*d5c09012SAndroid Build Coastguard Worker  option (google.api.resource) = {
*d5c09012SAndroid Build Coastguard Worker    type: "accessapproval.googleapis.com/ApprovalRequest"
*d5c09012SAndroid Build Coastguard Worker    pattern: "projects/{project}/approvalRequests/{approval_request}"
*d5c09012SAndroid Build Coastguard Worker    pattern: "folders/{folder}/approvalRequests/{approval_request}"
*d5c09012SAndroid Build Coastguard Worker    pattern: "organizations/{organization}/approvalRequests/{approval_request}"
*d5c09012SAndroid Build Coastguard Worker  };
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The resource name of the request. Format is
*d5c09012SAndroid Build Coastguard Worker  // "{projects|folders|organizations}/{id}/approvalRequests/{approval_request}".
*d5c09012SAndroid Build Coastguard Worker  string name = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The resource for which approval is being requested. The format of the
*d5c09012SAndroid Build Coastguard Worker  // resource name is defined at
*d5c09012SAndroid Build Coastguard Worker  // https://cloud.google.com/apis/design/resource_names. The resource name here
*d5c09012SAndroid Build Coastguard Worker  // may either be a "full" resource name (e.g.
*d5c09012SAndroid Build Coastguard Worker  // "//library.googleapis.com/shelves/shelf1/books/book2") or a "relative"
*d5c09012SAndroid Build Coastguard Worker  // resource name (e.g. "shelves/shelf1/books/book2") as described in the
*d5c09012SAndroid Build Coastguard Worker  // resource name specification.
*d5c09012SAndroid Build Coastguard Worker  string requested_resource_name = 2;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Properties related to the resource represented by requested_resource_name.
*d5c09012SAndroid Build Coastguard Worker  ResourceProperties requested_resource_properties = 9;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The justification for which approval is being requested.
*d5c09012SAndroid Build Coastguard Worker  AccessReason requested_reason = 3;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The locations for which approval is being requested.
*d5c09012SAndroid Build Coastguard Worker  AccessLocations requested_locations = 4;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The time at which approval was requested.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Timestamp request_time = 5;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The requested expiration for the approval. If the request is approved,
*d5c09012SAndroid Build Coastguard Worker  // access will be granted from the time of approval until the expiration time.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Timestamp requested_expiration = 6;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The current decision on the approval request.
*d5c09012SAndroid Build Coastguard Worker  oneof decision {
*d5c09012SAndroid Build Coastguard Worker    // Access was approved.
*d5c09012SAndroid Build Coastguard Worker    ApproveDecision approve = 7;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker    // The request was dismissed.
*d5c09012SAndroid Build Coastguard Worker    DismissDecision dismiss = 8;
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Represents the type of enrollment for a given service to Access Approval.
*d5c09012SAndroid Build Coastguard Workerenum EnrollmentLevel {
*d5c09012SAndroid Build Coastguard Worker  // Default value for proto, shouldn't be used.
*d5c09012SAndroid Build Coastguard Worker  ENROLLMENT_LEVEL_UNSPECIFIED = 0;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Service is enrolled in Access Approval for all requests
*d5c09012SAndroid Build Coastguard Worker  BLOCK_ALL = 1;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Represents the enrollment of a cloud resource into a specific service.
*d5c09012SAndroid Build Coastguard Workermessage EnrolledService {
*d5c09012SAndroid Build Coastguard Worker  // The product for which Access Approval will be enrolled. Allowed values are
*d5c09012SAndroid Build Coastguard Worker  // listed below (case-sensitive):
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //   * all
*d5c09012SAndroid Build Coastguard Worker  //   * GA
*d5c09012SAndroid Build Coastguard Worker  //   * App Engine
*d5c09012SAndroid Build Coastguard Worker  //   * BigQuery
*d5c09012SAndroid Build Coastguard Worker  //   * Cloud Bigtable
*d5c09012SAndroid Build Coastguard Worker  //   * Cloud Key Management Service
*d5c09012SAndroid Build Coastguard Worker  //   * Compute Engine
*d5c09012SAndroid Build Coastguard Worker  //   * Cloud Dataflow
*d5c09012SAndroid Build Coastguard Worker  //   * Cloud Dataproc
*d5c09012SAndroid Build Coastguard Worker  //   * Cloud DLP
*d5c09012SAndroid Build Coastguard Worker  //   * Cloud EKM
*d5c09012SAndroid Build Coastguard Worker  //   * Cloud HSM
*d5c09012SAndroid Build Coastguard Worker  //   * Cloud Identity and Access Management
*d5c09012SAndroid Build Coastguard Worker  //   * Cloud Logging
*d5c09012SAndroid Build Coastguard Worker  //   * Cloud Pub/Sub
*d5c09012SAndroid Build Coastguard Worker  //   * Cloud Spanner
*d5c09012SAndroid Build Coastguard Worker  //   * Cloud SQL
*d5c09012SAndroid Build Coastguard Worker  //   * Cloud Storage
*d5c09012SAndroid Build Coastguard Worker  //   * Google Kubernetes Engine
*d5c09012SAndroid Build Coastguard Worker  //   * Organization Policy Serivice
*d5c09012SAndroid Build Coastguard Worker  //   * Persistent Disk
*d5c09012SAndroid Build Coastguard Worker  //   * Resource Manager
*d5c09012SAndroid Build Coastguard Worker  //   * Secret Manager
*d5c09012SAndroid Build Coastguard Worker  //   * Speaker ID
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // Note: These values are supported as input for legacy purposes, but will not
*d5c09012SAndroid Build Coastguard Worker  // be returned from the API.
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //   * all
*d5c09012SAndroid Build Coastguard Worker  //   * ga-only
*d5c09012SAndroid Build Coastguard Worker  //   * appengine.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * bigquery.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * bigtable.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * container.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * cloudkms.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * cloudresourcemanager.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * cloudsql.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * compute.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * dataflow.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * dataproc.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * dlp.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * iam.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * logging.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * orgpolicy.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * pubsub.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * spanner.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * secretmanager.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * speakerid.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //   * storage.googleapis.com
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // Calls to UpdateAccessApprovalSettings using 'all' or any of the
*d5c09012SAndroid Build Coastguard Worker  // XXX.googleapis.com will be translated to the associated product name
*d5c09012SAndroid Build Coastguard Worker  // ('all', 'App Engine', etc.).
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // Note: 'all' will enroll the resource in all products supported at both 'GA'
*d5c09012SAndroid Build Coastguard Worker  // and 'Preview' levels.
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // More information about levels of support is available at
*d5c09012SAndroid Build Coastguard Worker  // https://cloud.google.com/access-approval/docs/supported-services
*d5c09012SAndroid Build Coastguard Worker  string cloud_product = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The enrollment level of the service.
*d5c09012SAndroid Build Coastguard Worker  EnrollmentLevel enrollment_level = 2;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Settings on a Project/Folder/Organization related to Access Approval.
*d5c09012SAndroid Build Coastguard Workermessage AccessApprovalSettings {
*d5c09012SAndroid Build Coastguard Worker  option (google.api.resource) = {
*d5c09012SAndroid Build Coastguard Worker    type: "accessapproval.googleapis.com/AccessApprovalSettings"
*d5c09012SAndroid Build Coastguard Worker    pattern: "projects/{project}/accessApprovalSettings"
*d5c09012SAndroid Build Coastguard Worker    pattern: "folders/{folder}/accessApprovalSettings"
*d5c09012SAndroid Build Coastguard Worker    pattern: "organizations/{organization}/accessApprovalSettings"
*d5c09012SAndroid Build Coastguard Worker  };
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The resource name of the settings. Format is one of:
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //   * "projects/{project}/accessApprovalSettings"
*d5c09012SAndroid Build Coastguard Worker  //   * "folders/{folder}/accessApprovalSettings"
*d5c09012SAndroid Build Coastguard Worker  //   * "organizations/{organization}/accessApprovalSettings"
*d5c09012SAndroid Build Coastguard Worker  string name = 1 [(google.api.resource_reference) = {
*d5c09012SAndroid Build Coastguard Worker                     type: "accessapproval.googleapis.com/AccessApprovalSettings"
*d5c09012SAndroid Build Coastguard Worker                   }];
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // A list of email addresses to which notifications relating to approval
*d5c09012SAndroid Build Coastguard Worker  // requests should be sent. Notifications relating to a resource will be sent
*d5c09012SAndroid Build Coastguard Worker  // to all emails in the settings of ancestor resources of that resource. A
*d5c09012SAndroid Build Coastguard Worker  // maximum of 50 email addresses are allowed.
*d5c09012SAndroid Build Coastguard Worker  repeated string notification_emails = 2;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // A list of Google Cloud Services for which the given resource has Access
*d5c09012SAndroid Build Coastguard Worker  // Approval enrolled. Access requests for the resource given by name against
*d5c09012SAndroid Build Coastguard Worker  // any of these services contained here will be required to have explicit
*d5c09012SAndroid Build Coastguard Worker  // approval. If name refers to an organization, enrollment can be done for
*d5c09012SAndroid Build Coastguard Worker  // individual services. If name refers to a folder or project, enrollment can
*d5c09012SAndroid Build Coastguard Worker  // only be done on an all or nothing basis.
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // If a cloud_product is repeated in this list, the first entry will be
*d5c09012SAndroid Build Coastguard Worker  // honored and all following entries will be discarded. A maximum of 10
*d5c09012SAndroid Build Coastguard Worker  // enrolled services will be enforced, to be expanded as the set of supported
*d5c09012SAndroid Build Coastguard Worker  // services is expanded.
*d5c09012SAndroid Build Coastguard Worker  repeated EnrolledService enrolled_services = 3;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Output only. This field is read only (not settable via
*d5c09012SAndroid Build Coastguard Worker  // UpdateAccessApprovalSettings method). If the field is true, that
*d5c09012SAndroid Build Coastguard Worker  // indicates that at least one service is enrolled for Access Approval in one
*d5c09012SAndroid Build Coastguard Worker  // or more ancestors of the Project or Folder (this field will always be
*d5c09012SAndroid Build Coastguard Worker  // unset for the organization since organizations do not have ancestors).
*d5c09012SAndroid Build Coastguard Worker  bool enrolled_ancestor = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The asymmetric crypto key version to use for signing approval requests.
*d5c09012SAndroid Build Coastguard Worker  // Empty active_key_version indicates that a Google-managed key should be used
*d5c09012SAndroid Build Coastguard Worker  // for signing. This property will be ignored if set by an ancestor of this
*d5c09012SAndroid Build Coastguard Worker  // resource, and new non-empty values may not be set.
*d5c09012SAndroid Build Coastguard Worker  string active_key_version = 6;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Output only. This field is read only (not settable via UpdateAccessApprovalSettings
*d5c09012SAndroid Build Coastguard Worker  // method). If the field is true, that indicates that an ancestor of this
*d5c09012SAndroid Build Coastguard Worker  // Project or Folder has set active_key_version (this field will always be
*d5c09012SAndroid Build Coastguard Worker  // unset for the organization since organizations do not have ancestors).
*d5c09012SAndroid Build Coastguard Worker  bool ancestor_has_active_key_version = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Output only. This field is read only (not settable via UpdateAccessApprovalSettings
*d5c09012SAndroid Build Coastguard Worker  // method). If the field is true, that indicates that there is some
*d5c09012SAndroid Build Coastguard Worker  // configuration issue with the active_key_version configured at this level in
*d5c09012SAndroid Build Coastguard Worker  // the resource hierarchy (e.g. it doesn't exist or the Access Approval
*d5c09012SAndroid Build Coastguard Worker  // service account doesn't have the correct permissions on it, etc.) This key
*d5c09012SAndroid Build Coastguard Worker  // version is not necessarily the effective key version at this level, as key
*d5c09012SAndroid Build Coastguard Worker  // versions are inherited top-down.
*d5c09012SAndroid Build Coastguard Worker  bool invalid_key_version = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Access Approval service account related to a project/folder/organization.
*d5c09012SAndroid Build Coastguard Workermessage AccessApprovalServiceAccount {
*d5c09012SAndroid Build Coastguard Worker  option (google.api.resource) = {
*d5c09012SAndroid Build Coastguard Worker    type: "accessapproval.googleapis.com/AccessApprovalServiceAccount"
*d5c09012SAndroid Build Coastguard Worker    pattern: "projects/{project}/serviceAccount"
*d5c09012SAndroid Build Coastguard Worker    pattern: "folders/{folder}/serviceAccount"
*d5c09012SAndroid Build Coastguard Worker    pattern: "organizations/{organization}/serviceAccount"
*d5c09012SAndroid Build Coastguard Worker  };
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The resource name of the Access Approval service account. Format is one of:
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //   * "projects/{project}/serviceAccount"
*d5c09012SAndroid Build Coastguard Worker  //   * "folders/{folder}/serviceAccount"
*d5c09012SAndroid Build Coastguard Worker  //   * "organizations/{organization}/serviceAccount"
*d5c09012SAndroid Build Coastguard Worker  string name = 1 [(google.api.resource_reference) = {
*d5c09012SAndroid Build Coastguard Worker                     type: "accessapproval.googleapis.com/AccessApprovalServiceAccount"
*d5c09012SAndroid Build Coastguard Worker                   }];
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Email address of the service account.
*d5c09012SAndroid Build Coastguard Worker  string account_email = 2;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Request to list approval requests.
*d5c09012SAndroid Build Coastguard Workermessage ListApprovalRequestsMessage {
*d5c09012SAndroid Build Coastguard Worker  // The parent resource. This may be "projects/{project}",
*d5c09012SAndroid Build Coastguard Worker  // "folders/{folder}", or "organizations/{organization}".
*d5c09012SAndroid Build Coastguard Worker  string parent = 1 [(google.api.resource_reference) = {
*d5c09012SAndroid Build Coastguard Worker                       child_type: "accessapproval.googleapis.com/ApprovalRequest"
*d5c09012SAndroid Build Coastguard Worker                     }];
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // A filter on the type of approval requests to retrieve. Must be one of the
*d5c09012SAndroid Build Coastguard Worker  // following values:
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //   * [not set]: Requests that are pending or have active approvals.
*d5c09012SAndroid Build Coastguard Worker  //   * ALL: All requests.
*d5c09012SAndroid Build Coastguard Worker  //   * PENDING: Only pending requests.
*d5c09012SAndroid Build Coastguard Worker  //   * ACTIVE: Only active (i.e. currently approved) requests.
*d5c09012SAndroid Build Coastguard Worker  //   * DISMISSED: Only requests that have been dismissed, or requests that
*d5c09012SAndroid Build Coastguard Worker  //     are not approved and past expiration.
*d5c09012SAndroid Build Coastguard Worker  //   * EXPIRED: Only requests that have been approved, and the approval has
*d5c09012SAndroid Build Coastguard Worker  //     expired.
*d5c09012SAndroid Build Coastguard Worker  //   * HISTORY: Active, dismissed and expired requests.
*d5c09012SAndroid Build Coastguard Worker  string filter = 2;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Requested page size.
*d5c09012SAndroid Build Coastguard Worker  int32 page_size = 3;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // A token identifying the page of results to return.
*d5c09012SAndroid Build Coastguard Worker  string page_token = 4;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Response to listing of ApprovalRequest objects.
*d5c09012SAndroid Build Coastguard Workermessage ListApprovalRequestsResponse {
*d5c09012SAndroid Build Coastguard Worker  // Approval request details.
*d5c09012SAndroid Build Coastguard Worker  repeated ApprovalRequest approval_requests = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Token to retrieve the next page of results, or empty if there are no more.
*d5c09012SAndroid Build Coastguard Worker  string next_page_token = 2;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Request to get an approval request.
*d5c09012SAndroid Build Coastguard Workermessage GetApprovalRequestMessage {
*d5c09012SAndroid Build Coastguard Worker  // The name of the approval request to retrieve.
*d5c09012SAndroid Build Coastguard Worker  // Format:
*d5c09012SAndroid Build Coastguard Worker  // "{projects|folders|organizations}/{id}/approvalRequests/{approval_request}"
*d5c09012SAndroid Build Coastguard Worker  string name = 1 [(google.api.resource_reference) = {
*d5c09012SAndroid Build Coastguard Worker                     type: "accessapproval.googleapis.com/ApprovalRequest"
*d5c09012SAndroid Build Coastguard Worker                   }];
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Request to approve an ApprovalRequest.
*d5c09012SAndroid Build Coastguard Workermessage ApproveApprovalRequestMessage {
*d5c09012SAndroid Build Coastguard Worker  // Name of the approval request to approve.
*d5c09012SAndroid Build Coastguard Worker  string name = 1 [(google.api.resource_reference) = {
*d5c09012SAndroid Build Coastguard Worker                     type: "accessapproval.googleapis.com/ApprovalRequest"
*d5c09012SAndroid Build Coastguard Worker                   }];
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The expiration time of this approval.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Timestamp expire_time = 2;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Request to dismiss an approval request.
*d5c09012SAndroid Build Coastguard Workermessage DismissApprovalRequestMessage {
*d5c09012SAndroid Build Coastguard Worker  // Name of the ApprovalRequest to dismiss.
*d5c09012SAndroid Build Coastguard Worker  string name = 1 [(google.api.resource_reference) = {
*d5c09012SAndroid Build Coastguard Worker                     type: "accessapproval.googleapis.com/ApprovalRequest"
*d5c09012SAndroid Build Coastguard Worker                   }];
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Request to invalidate an existing approval.
*d5c09012SAndroid Build Coastguard Workermessage InvalidateApprovalRequestMessage {
*d5c09012SAndroid Build Coastguard Worker  // Name of the ApprovalRequest to invalidate.
*d5c09012SAndroid Build Coastguard Worker  string name = 1 [(google.api.resource_reference) = {
*d5c09012SAndroid Build Coastguard Worker                     type: "accessapproval.googleapis.com/ApprovalRequest"
*d5c09012SAndroid Build Coastguard Worker                   }];
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Request to get access approval settings.
*d5c09012SAndroid Build Coastguard Workermessage GetAccessApprovalSettingsMessage {
*d5c09012SAndroid Build Coastguard Worker  // The name of the AccessApprovalSettings to retrieve.
*d5c09012SAndroid Build Coastguard Worker  // Format: "{projects|folders|organizations}/{id}/accessApprovalSettings"
*d5c09012SAndroid Build Coastguard Worker  string name = 1 [(google.api.resource_reference) = {
*d5c09012SAndroid Build Coastguard Worker                     type: "accessapproval.googleapis.com/AccessApprovalSettings"
*d5c09012SAndroid Build Coastguard Worker                   }];
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Request to update access approval settings.
*d5c09012SAndroid Build Coastguard Workermessage UpdateAccessApprovalSettingsMessage {
*d5c09012SAndroid Build Coastguard Worker  // The new AccessApprovalSettings.
*d5c09012SAndroid Build Coastguard Worker  AccessApprovalSettings settings = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The update mask applies to the settings. Only the top level fields of
*d5c09012SAndroid Build Coastguard Worker  // AccessApprovalSettings (notification_emails & enrolled_services) are
*d5c09012SAndroid Build Coastguard Worker  // supported. For each field, if it is included, the currently stored value
*d5c09012SAndroid Build Coastguard Worker  // will be entirely overwritten with the value of the field passed in this
*d5c09012SAndroid Build Coastguard Worker  // request.
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // For the `FieldMask` definition, see
*d5c09012SAndroid Build Coastguard Worker  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
*d5c09012SAndroid Build Coastguard Worker  // If this field is left unset, only the notification_emails field will be
*d5c09012SAndroid Build Coastguard Worker  // updated.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.FieldMask update_mask = 2;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Request to delete access approval settings.
*d5c09012SAndroid Build Coastguard Workermessage DeleteAccessApprovalSettingsMessage {
*d5c09012SAndroid Build Coastguard Worker  // Name of the AccessApprovalSettings to delete.
*d5c09012SAndroid Build Coastguard Worker  string name = 1 [(google.api.resource_reference) = {
*d5c09012SAndroid Build Coastguard Worker                     type: "accessapproval.googleapis.com/AccessApprovalSettings"
*d5c09012SAndroid Build Coastguard Worker                   }];
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Request to get an Access Approval service account.
*d5c09012SAndroid Build Coastguard Workermessage GetAccessApprovalServiceAccountMessage {
*d5c09012SAndroid Build Coastguard Worker  // Name of the AccessApprovalServiceAccount to retrieve.
*d5c09012SAndroid Build Coastguard Worker  string name = 1;
*d5c09012SAndroid Build Coastguard Worker}