1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.cloudcontrolspartner.v1beta;
18
19import "google/api/field_behavior.proto";
20import "google/api/resource.proto";
21import "google/protobuf/timestamp.proto";
22
23option csharp_namespace = "Google.Cloud.CloudControlsPartner.V1Beta";
24option go_package = "cloud.google.com/go/cloudcontrolspartner/apiv1beta/cloudcontrolspartnerpb;cloudcontrolspartnerpb";
25option java_multiple_files = true;
26option java_outer_classname = "AccessApprovalRequestsProto";
27option java_package = "com.google.cloud.cloudcontrolspartner.v1beta";
28option php_namespace = "Google\\Cloud\\CloudControlsPartner\\V1beta";
29option ruby_package = "Google::Cloud::CloudControlsPartner::V1beta";
30
31// Details about the Access request.
32message AccessApprovalRequest {
33  option (google.api.resource) = {
34    type: "cloudcontrolspartner.googleapis.com/AccessApprovalRequest"
35    pattern: "organizations/{organization}/locations/{location}/customers/{customer}/workloads/{workload}/accessApprovalRequests/{access_approval_request}"
36    plural: "accessApprovalRequests"
37    singular: "accessApprovalRequest"
38  };
39
40  // Identifier. Format:
41  // organizations/{organization}/locations/{location}/customers/{customer}/workloads/{workload}/accessApprovalRequests/{access_approval_request}.
42  string name = 1 [(google.api.field_behavior) = IDENTIFIER];
43
44  // The time at which approval was requested.
45  google.protobuf.Timestamp request_time = 2;
46
47  // The justification for which approval is being requested.
48  AccessReason requested_reason = 3;
49
50  // The requested expiration for the approval. If the request is approved,
51  // access will be granted from the time of approval until the expiration time.
52  google.protobuf.Timestamp requested_expiration_time = 4;
53}
54
55// Request for getting the access requests associated with a workload.
56message ListAccessApprovalRequestsRequest {
57  // Required. Parent resource
58  // Format:
59  // organizations/{organization}/locations/{location}/customers/{customer}/workloads/{workload}
60  string parent = 1 [
61    (google.api.field_behavior) = REQUIRED,
62    (google.api.resource_reference) = {
63      child_type: "cloudcontrolspartner.googleapis.com/AccessApprovalRequest"
64    }
65  ];
66
67  // Optional. The maximum number of access requests to return. The service may
68  // return fewer than this value. If unspecified, at most 500 access requests
69  // will be returned.
70  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
71
72  // Optional. A page token, received from a previous
73  // `ListAccessApprovalRequests` call. Provide this to retrieve the subsequent
74  // page.
75  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
76
77  // Optional. Filtering results.
78  string filter = 4 [(google.api.field_behavior) = OPTIONAL];
79
80  // Optional. Hint for how to order the results.
81  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
82}
83
84// Response message for list access requests.
85message ListAccessApprovalRequestsResponse {
86  // List of access approval requests
87  repeated AccessApprovalRequest access_approval_requests = 1;
88
89  // A token that can be sent as `page_token` to retrieve the next page.
90  // If this field is omitted, there are no subsequent pages.
91  string next_page_token = 2;
92
93  // Locations that could not be reached.
94  repeated string unreachable = 3;
95}
96
97// Reason for the access.
98message AccessReason {
99  // Type of access justification.
100  enum Type {
101    // Default value for proto, shouldn't be used.
102    TYPE_UNSPECIFIED = 0;
103
104    // Customer made a request or raised an issue that required the principal to
105    // access customer data. `detail` is of the form ("#####" is the issue ID):
106    //
107    // - "Feedback Report: #####"
108    // - "Case Number: #####"
109    // - "Case ID: #####"
110    // - "E-PIN Reference: #####"
111    // - "Google-#####"
112    // - "T-#####"
113    CUSTOMER_INITIATED_SUPPORT = 1;
114
115    // The principal accessed customer data in order to diagnose or resolve a
116    // suspected issue in services. Often this access is used to confirm that
117    // customers are not affected by a suspected service issue or to remediate a
118    // reversible system issue.
119    GOOGLE_INITIATED_SERVICE = 2;
120
121    // Google initiated service for security, fraud, abuse, or compliance
122    // purposes.
123    GOOGLE_INITIATED_REVIEW = 3;
124
125    // The principal was compelled to access customer data in order to respond
126    // to a legal third party data request or process, including legal processes
127    // from customers themselves.
128    THIRD_PARTY_DATA_REQUEST = 4;
129
130    // The principal accessed customer data in order to diagnose or resolve a
131    // suspected issue in services or a known outage.
132    GOOGLE_RESPONSE_TO_PRODUCTION_ALERT = 5;
133
134    // Similar to 'GOOGLE_INITIATED_SERVICE' or 'GOOGLE_INITIATED_REVIEW', but
135    // with universe agnostic naming. The principal accessed customer data in
136    // order to diagnose or resolve a suspected issue in services or a known
137    // outage, or for security, fraud, abuse, or compliance review purposes.
138    CLOUD_INITIATED_ACCESS = 6;
139  }
140
141  // Type of access justification.
142  Type type = 1;
143
144  // More detail about certain reason types. See comments for each type above.
145  string detail = 2;
146}
147