1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.policytroubleshooter.iam.v3; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/iam/v1/policy.proto"; 23import "google/iam/v2/policy.proto"; 24import "google/protobuf/struct.proto"; 25import "google/protobuf/timestamp.proto"; 26import "google/rpc/status.proto"; 27import "google/type/expr.proto"; 28 29option cc_enable_arenas = true; 30option csharp_namespace = "Google.Cloud.PolicyTroubleshooter.Iam.V3"; 31option go_package = "cloud.google.com/go/policytroubleshooter/iam/apiv3/iampb;iampb"; 32option java_multiple_files = true; 33option java_outer_classname = "TroubleshooterProto"; 34option java_package = "com.google.cloud.policytroubleshooter.iam.v3"; 35option php_namespace = "Google\\Cloud\\PolicyTroubleshooter\\Iam\\V3"; 36option ruby_package = "Google::Cloud::PolicyTroubleshooter::Iam::V3"; 37 38// IAM Policy Troubleshooter service. 39// 40// This service helps you troubleshoot access issues for Google Cloud resources. 41service PolicyTroubleshooter { 42 option (google.api.default_host) = "policytroubleshooter.googleapis.com"; 43 option (google.api.oauth_scopes) = 44 "https://www.googleapis.com/auth/cloud-platform"; 45 46 // Checks whether a principal has a specific permission for a specific 47 // resource, and explains why the principal does or doesn't have that 48 // permission. 49 rpc TroubleshootIamPolicy(TroubleshootIamPolicyRequest) 50 returns (TroubleshootIamPolicyResponse) { 51 option (google.api.http) = { 52 post: "/v3/iam:troubleshoot" 53 body: "*" 54 }; 55 } 56} 57 58// Whether IAM allow policies gives the principal the permission. 59enum AllowAccessState { 60 // Not specified. 61 ALLOW_ACCESS_STATE_UNSPECIFIED = 0; 62 63 // The allow policy gives the principal the permission. 64 ALLOW_ACCESS_STATE_GRANTED = 1; 65 66 // The allow policy doesn't give the principal the permission. 67 ALLOW_ACCESS_STATE_NOT_GRANTED = 2; 68 69 // The allow policy gives the principal the permission if a condition 70 // expression evaluate to `true`. However, the sender of the request didn't 71 // provide enough context for Policy Troubleshooter to evaluate the condition 72 // expression. 73 ALLOW_ACCESS_STATE_UNKNOWN_CONDITIONAL = 3; 74 75 // The sender of the request doesn't have access to all of the allow policies 76 // that Policy Troubleshooter needs to evaluate the principal's access. 77 ALLOW_ACCESS_STATE_UNKNOWN_INFO = 4; 78} 79 80// Whether IAM deny policies deny the principal the permission. 81enum DenyAccessState { 82 // Not specified. 83 DENY_ACCESS_STATE_UNSPECIFIED = 0; 84 85 // The deny policy denies the principal the permission. 86 DENY_ACCESS_STATE_DENIED = 1; 87 88 // The deny policy doesn't deny the principal the permission. 89 DENY_ACCESS_STATE_NOT_DENIED = 2; 90 91 // The deny policy denies the principal the permission if a condition 92 // expression evaluates to `true`. However, the sender of the request didn't 93 // provide enough context for Policy Troubleshooter to evaluate the condition 94 // expression. 95 DENY_ACCESS_STATE_UNKNOWN_CONDITIONAL = 3; 96 97 // The sender of the request does not have access to all of the deny policies 98 // that Policy Troubleshooter needs to evaluate the principal's access. 99 DENY_ACCESS_STATE_UNKNOWN_INFO = 4; 100} 101 102// Whether a role includes a specific permission. 103enum RolePermissionInclusionState { 104 // Not specified. 105 ROLE_PERMISSION_INCLUSION_STATE_UNSPECIFIED = 0; 106 107 // The permission is included in the role. 108 ROLE_PERMISSION_INCLUDED = 1; 109 110 // The permission is not included in the role. 111 ROLE_PERMISSION_NOT_INCLUDED = 2; 112 113 // The sender of the request is not allowed to access the role definition. 114 ROLE_PERMISSION_UNKNOWN_INFO = 3; 115} 116 117// Whether the permission in the request matches the permission in the policy. 118enum PermissionPatternMatchingState { 119 // Not specified. 120 PERMISSION_PATTERN_MATCHING_STATE_UNSPECIFIED = 0; 121 122 // The permission in the request matches the permission in the policy. 123 PERMISSION_PATTERN_MATCHED = 1; 124 125 // The permission in the request matches the permission in the policy. 126 PERMISSION_PATTERN_NOT_MATCHED = 2; 127} 128 129// Whether the principal in the request matches the principal in the policy. 130enum MembershipMatchingState { 131 // Not specified. 132 MEMBERSHIP_MATCHING_STATE_UNSPECIFIED = 0; 133 134 // The principal in the request matches the principal in the policy. The 135 // principal can be included directly or indirectly: 136 // 137 // * A principal is included directly if that principal is listed in the 138 // role binding. 139 // * A principal is included indirectly if that principal is in a Google 140 // group, Google Workspace account, or Cloud Identity domain that is listed 141 // in the policy. 142 MEMBERSHIP_MATCHED = 1; 143 144 // The principal in the request doesn't match the principal in the policy. 145 MEMBERSHIP_NOT_MATCHED = 2; 146 147 // The principal in the policy is a group or domain, and the sender of the 148 // request doesn't have permission to view whether the principal in the 149 // request is a member of the group or domain. 150 MEMBERSHIP_UNKNOWN_INFO = 3; 151 152 // The principal is an unsupported type. 153 MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4; 154} 155 156// The extent to which a single data point contributes to an overall 157// determination. 158enum HeuristicRelevance { 159 // Not specified. 160 HEURISTIC_RELEVANCE_UNSPECIFIED = 0; 161 162 // The data point has a limited effect on the result. Changing the data point 163 // is unlikely to affect the overall determination. 164 HEURISTIC_RELEVANCE_NORMAL = 1; 165 166 // The data point has a strong effect on the result. Changing the data point 167 // is likely to affect the overall determination. 168 HEURISTIC_RELEVANCE_HIGH = 2; 169} 170 171// Request for 172// [TroubleshootIamPolicy][google.cloud.policytroubleshooter.iam.v3.PolicyTroubleshooter.TroubleshootIamPolicy]. 173message TroubleshootIamPolicyRequest { 174 // The information to use for checking whether a principal has a permission 175 // for a resource. 176 AccessTuple access_tuple = 1; 177} 178 179// Response for 180// [TroubleshootIamPolicy][google.cloud.policytroubleshooter.iam.v3.PolicyTroubleshooter.TroubleshootIamPolicy]. 181message TroubleshootIamPolicyResponse { 182 // Whether the principal has the permission on the resource. 183 enum OverallAccessState { 184 // Not specified. 185 OVERALL_ACCESS_STATE_UNSPECIFIED = 0; 186 187 // The principal has the permission. 188 CAN_ACCESS = 1; 189 190 // The principal doesn't have the permission. 191 CANNOT_ACCESS = 2; 192 193 // The principal might have the permission, but the sender can't access all 194 // of the information needed to fully evaluate the principal's access. 195 UNKNOWN_INFO = 3; 196 197 // The principal might have the permission, but Policy Troubleshooter can't 198 // fully evaluate the principal's access because the sender didn't provide 199 // the required context to evaluate the condition. 200 UNKNOWN_CONDITIONAL = 4; 201 } 202 203 // Indicates whether the principal has the specified permission for the 204 // specified resource, based on evaluating all types of the applicable IAM 205 // policies. 206 OverallAccessState overall_access_state = 1; 207 208 // The access tuple from the request, including any provided context used to 209 // evaluate the condition. 210 AccessTuple access_tuple = 2; 211 212 // An explanation of how the applicable IAM allow policies affect the final 213 // access state. 214 AllowPolicyExplanation allow_policy_explanation = 3; 215 216 // An explanation of how the applicable IAM deny policies affect the final 217 // access state. 218 DenyPolicyExplanation deny_policy_explanation = 4; 219} 220 221// Information about the principal, resource, and permission to check. 222message AccessTuple { 223 // Required. The email address of the principal whose access you want to 224 // check. For example, `[email protected]` or 225 // `[email protected]`. 226 // 227 // The principal must be a Google Account or a service account. Other types of 228 // principals are not supported. 229 string principal = 1 [(google.api.field_behavior) = REQUIRED]; 230 231 // Required. The full resource name that identifies the resource. For example, 232 // `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`. 233 // 234 // For examples of full resource names for Google Cloud services, see 235 // https://cloud.google.com/iam/help/troubleshooter/full-resource-names. 236 string full_resource_name = 2 [(google.api.field_behavior) = REQUIRED]; 237 238 // Required. The IAM permission to check for, either in the `v1` permission 239 // format or the `v2` permission format. 240 // 241 // For a complete list of IAM permissions in the `v1` format, see 242 // https://cloud.google.com/iam/help/permissions/reference. 243 // 244 // For a list of IAM permissions in the `v2` format, see 245 // https://cloud.google.com/iam/help/deny/supported-permissions. 246 // 247 // For a complete list of predefined IAM roles and the permissions in each 248 // role, see https://cloud.google.com/iam/help/roles/reference. 249 string permission = 3 [(google.api.field_behavior) = REQUIRED]; 250 251 // Output only. The permission that Policy Troubleshooter checked for, in 252 // the `v2` format. 253 string permission_fqdn = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 254 255 // Optional. Additional context for the request, such as the request time or 256 // IP address. This context allows Policy Troubleshooter to troubleshoot 257 // conditional role bindings and deny rules. 258 ConditionContext condition_context = 5 259 [(google.api.field_behavior) = OPTIONAL]; 260} 261 262// Additional context for troubleshooting conditional role bindings and deny 263// rules. 264message ConditionContext { 265 // Core attributes for a resource. A resource is an 266 // addressable (named) entity provided by the destination service. For 267 // example, a Compute Engine instance. 268 message Resource { 269 // The name of the service that this resource belongs to, such as 270 // `compute.googleapis.com`. The service name might not match the DNS 271 // hostname that actually serves the request. 272 // 273 // For a full list of resource service values, see 274 // https://cloud.google.com/iam/help/conditions/resource-services 275 string service = 1; 276 277 // The stable identifier (name) of a resource on the `service`. A resource 278 // can be logically identified as `//{resource.service}/{resource.name}`. 279 // Unlike the resource URI, the resource name doesn't contain any protocol 280 // and version information. 281 // 282 // For a list of full resource name formats, see 283 // https://cloud.google.com/iam/help/troubleshooter/full-resource-names 284 string name = 2; 285 286 // The type of the resource, in the format `{service}/{kind}`. 287 // 288 // For a full list of resource type values, see 289 // https://cloud.google.com/iam/help/conditions/resource-types 290 string type = 3; 291 } 292 293 // This message defines attributes for a node that handles a network request. 294 // The node can be either a service or an application that sends, forwards, 295 // or receives the request. Service peers should fill in 296 // `principal` and `labels` as appropriate. 297 message Peer { 298 // The IPv4 or IPv6 address of the peer. 299 string ip = 1; 300 301 // The network port of the peer. 302 int64 port = 2; 303 } 304 305 // This message defines attributes for an HTTP request. If the actual 306 // request is not an HTTP request, the runtime system should try to map 307 // the actual request to an equivalent HTTP request. 308 message Request { 309 // Optional. The timestamp when the destination service receives the first 310 // byte of the request. 311 google.protobuf.Timestamp receive_time = 1 312 [(google.api.field_behavior) = OPTIONAL]; 313 } 314 315 // A tag that applies to a resource during policy evaluation. Tags can be 316 // either directly bound to a resource or inherited from its ancestor. 317 // `EffectiveTag` contains the `name` and `namespaced_name` of the tag value 318 // and tag key, with additional fields of `inherited` to indicate the 319 // inheritance status of the effective tag. 320 message EffectiveTag { 321 // Output only. Resource name for TagValue in the format `tagValues/456`. 322 string tag_value = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 323 324 // Output only. The namespaced name of the TagValue. Can be in the form 325 // `{organization_id}/{tag_key_short_name}/{tag_value_short_name}` or 326 // `{project_id}/{tag_key_short_name}/{tag_value_short_name}` or 327 // `{project_number}/{tag_key_short_name}/{tag_value_short_name}`. 328 string namespaced_tag_value = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 329 330 // Output only. The name of the TagKey, in the format `tagKeys/{id}`, such 331 // as `tagKeys/123`. 332 string tag_key = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; 333 334 // Output only. The namespaced name of the TagKey. Can be in the form 335 // `{organization_id}/{tag_key_short_name}` or 336 // `{project_id}/{tag_key_short_name}` or 337 // `{project_number}/{tag_key_short_name}`. 338 string namespaced_tag_key = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 339 340 // The parent name of the tag key. 341 // Must be in the format `organizations/{organization_id}` or 342 // `projects/{project_number}` 343 string tag_key_parent_name = 6; 344 345 // Output only. Indicates the inheritance status of a tag value 346 // attached to the given resource. If the tag value is inherited from one of 347 // the resource's ancestors, inherited will be true. If false, then the tag 348 // value is directly attached to the resource, inherited will be false. 349 bool inherited = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 350 } 351 352 // Represents a target resource that is involved with a network activity. 353 // If multiple resources are involved with an activity, this must be the 354 // primary one. 355 Resource resource = 1; 356 357 // The destination of a network activity, such as accepting a TCP connection. 358 // In a multi-hop network activity, the destination represents the receiver of 359 // the last hop. 360 Peer destination = 2; 361 362 // Represents a network request, such as an HTTP request. 363 Request request = 3; 364 365 // Output only. The effective tags on the resource. The effective tags are 366 // fetched during troubleshooting. 367 repeated EffectiveTag effective_tags = 4 368 [(google.api.field_behavior) = OUTPUT_ONLY]; 369} 370 371// Details about how the relevant IAM allow policies affect the final access 372// state. 373message AllowPolicyExplanation { 374 // Indicates whether the principal has the specified permission for the 375 // specified resource, based on evaluating all applicable IAM allow policies. 376 AllowAccessState allow_access_state = 1; 377 378 // List of IAM allow policies that were evaluated to check the principal's 379 // permissions, with annotations to indicate how each policy contributed to 380 // the final result. 381 // 382 // The list of policies includes the policy for the resource itself, as well 383 // as allow policies that are inherited from higher levels of the resource 384 // hierarchy, including the organization, the folder, and the project. 385 // 386 // To learn more about the resource hierarchy, see 387 // https://cloud.google.com/iam/help/resource-hierarchy. 388 repeated ExplainedAllowPolicy explained_policies = 2; 389 390 // The relevance of the allow policy type to the overall access state. 391 HeuristicRelevance relevance = 3; 392} 393 394// Details about how a specific IAM allow policy contributed to the final access 395// state. 396message ExplainedAllowPolicy { 397 // Required. Indicates whether _this policy_ provides the specified permission 398 // to the specified principal for the specified resource. 399 // 400 // This field does _not_ indicate whether the principal actually has the 401 // permission for the resource. There might be another policy that overrides 402 // this policy. To determine whether the principal actually has the 403 // permission, use the `overall_access_state` field in the 404 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse]. 405 AllowAccessState allow_access_state = 1 406 [(google.api.field_behavior) = REQUIRED]; 407 408 // The full resource name that identifies the resource. For example, 409 // `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`. 410 // 411 // If the sender of the request does not have access to the policy, this field 412 // is omitted. 413 // 414 // For examples of full resource names for Google Cloud services, see 415 // https://cloud.google.com/iam/help/troubleshooter/full-resource-names. 416 string full_resource_name = 2; 417 418 // Details about how each role binding in the policy affects the principal's 419 // ability, or inability, to use the permission for the resource. The order of 420 // the role bindings matches the role binding order in the policy. 421 // 422 // If the sender of the request does not have access to the policy, this field 423 // is omitted. 424 repeated AllowBindingExplanation binding_explanations = 3; 425 426 // The relevance of this policy to the overall access state in the 427 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse]. 428 // 429 // If the sender of the request does not have access to the policy, this field 430 // is omitted. 431 HeuristicRelevance relevance = 4; 432 433 // The IAM allow policy attached to the resource. 434 // 435 // If the sender of the request does not have access to the policy, this field 436 // is empty. 437 google.iam.v1.Policy policy = 5; 438} 439 440// Details about how a role binding in an allow policy affects a principal's 441// ability to use a permission. 442message AllowBindingExplanation { 443 // Details about whether the role binding includes the principal. 444 message AnnotatedAllowMembership { 445 // Indicates whether the role binding includes the principal. 446 MembershipMatchingState membership = 1; 447 448 // The relevance of the principal's status to the overall determination for 449 // the role binding. 450 HeuristicRelevance relevance = 2; 451 } 452 453 // Required. Indicates whether _this role binding_ gives the specified 454 // permission to the specified principal on the specified resource. 455 // 456 // This field does _not_ indicate whether the principal actually has the 457 // permission on the resource. There might be another role binding that 458 // overrides this role binding. To determine whether the principal actually 459 // has the permission, use the `overall_access_state` field in the 460 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse]. 461 AllowAccessState allow_access_state = 1 462 [(google.api.field_behavior) = REQUIRED]; 463 464 // The role that this role binding grants. For example, 465 // `roles/compute.admin`. 466 // 467 // For a complete list of predefined IAM roles, as well as the permissions in 468 // each role, see https://cloud.google.com/iam/help/roles/reference. 469 string role = 2; 470 471 // Indicates whether the role granted by this role binding contains the 472 // specified permission. 473 RolePermissionInclusionState role_permission = 3; 474 475 // The relevance of the permission's existence, or nonexistence, in the role 476 // to the overall determination for the entire policy. 477 HeuristicRelevance role_permission_relevance = 4; 478 479 // The combined result of all memberships. Indicates if the principal is 480 // included in any role binding, either directly or indirectly. 481 AnnotatedAllowMembership combined_membership = 5; 482 483 // Indicates whether each role binding includes the principal specified in the 484 // request, either directly or indirectly. Each key identifies a principal in 485 // the role binding, and each value indicates whether the principal in the 486 // role binding includes the principal in the request. 487 // 488 // For example, suppose that a role binding includes the following principals: 489 // 490 // * `user:[email protected]` 491 // * `group:[email protected]` 492 // 493 // You want to troubleshoot access for `user:[email protected]`. This user is a 494 // member of the group `group:[email protected]`. 495 // 496 // For the first principal in the role binding, the key is 497 // `user:[email protected]`, and the `membership` field in the value is set to 498 // `NOT_INCLUDED`. 499 // 500 // For the second principal in the role binding, the key is 501 // `group:[email protected]`, and the `membership` field in the value is 502 // set to `INCLUDED`. 503 map<string, AnnotatedAllowMembership> memberships = 6; 504 505 // The relevance of this role binding to the overall determination for the 506 // entire policy. 507 HeuristicRelevance relevance = 7; 508 509 // A condition expression that specifies when the role binding grants access. 510 // 511 // To learn about IAM Conditions, see 512 // https://cloud.google.com/iam/help/conditions/overview. 513 google.type.Expr condition = 8; 514 515 // Condition evaluation state for this role binding. 516 ConditionExplanation condition_explanation = 9; 517} 518 519// Details about how the relevant IAM deny policies affect the final access 520// state. 521message DenyPolicyExplanation { 522 // Indicates whether the principal is denied the specified permission for 523 // the specified resource, based on evaluating all applicable IAM deny 524 // policies. 525 DenyAccessState deny_access_state = 1; 526 527 // List of resources with IAM deny policies that were evaluated to check the 528 // principal's denied permissions, with annotations to indicate how each 529 // policy contributed to the final result. 530 // 531 // The list of resources includes the policy for the resource itself, as well 532 // as policies that are inherited from higher levels of the resource 533 // hierarchy, including the organization, the folder, and the project. The 534 // order of the resources starts from the resource and climbs up the resource 535 // hierarchy. 536 // 537 // To learn more about the resource hierarchy, see 538 // https://cloud.google.com/iam/help/resource-hierarchy. 539 repeated ExplainedDenyResource explained_resources = 2; 540 541 // The relevance of the deny policy result to the overall access state. 542 HeuristicRelevance relevance = 3; 543 544 // Indicates whether the permission to troubleshoot is supported in deny 545 // policies. 546 bool permission_deniable = 4; 547} 548 549// Details about how a specific resource contributed to the deny policy 550// evaluation. 551message ExplainedDenyResource { 552 // Required. Indicates whether any policies attached to _this resource_ deny 553 // the specific permission to the specified principal for the specified 554 // resource. 555 // 556 // This field does _not_ indicate whether the principal actually has the 557 // permission for the resource. There might be another policy that overrides 558 // this policy. To determine whether the principal actually has the 559 // permission, use the `overall_access_state` field in the 560 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse]. 561 DenyAccessState deny_access_state = 1 562 [(google.api.field_behavior) = REQUIRED]; 563 564 // The full resource name that identifies the resource. For example, 565 // `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`. 566 // 567 // If the sender of the request does not have access to the policy, this field 568 // is omitted. 569 // 570 // For examples of full resource names for Google Cloud services, see 571 // https://cloud.google.com/iam/help/troubleshooter/full-resource-names. 572 string full_resource_name = 2; 573 574 // List of IAM deny policies that were evaluated to check the principal's 575 // denied permissions, with annotations to indicate how each policy 576 // contributed to the final result. 577 repeated ExplainedDenyPolicy explained_policies = 3; 578 579 // The relevance of this policy to the overall access state in the 580 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse]. 581 // 582 // If the sender of the request does not have access to the policy, this field 583 // is omitted. 584 HeuristicRelevance relevance = 4; 585} 586 587// Details about how a specific IAM deny policy [Policy][google.iam.v2.Policy] 588// contributed to the access check. 589message ExplainedDenyPolicy { 590 // Required. Indicates whether _this policy_ denies the specified permission 591 // to the specified principal for the specified resource. 592 // 593 // This field does _not_ indicate whether the principal actually has the 594 // permission for the resource. There might be another policy that overrides 595 // this policy. To determine whether the principal actually has the 596 // permission, use the `overall_access_state` field in the 597 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse]. 598 DenyAccessState deny_access_state = 1 599 [(google.api.field_behavior) = REQUIRED]; 600 601 // The IAM deny policy attached to the resource. 602 // 603 // If the sender of the request does not have access to the policy, this field 604 // is omitted. 605 google.iam.v2.Policy policy = 2; 606 607 // Details about how each rule in the policy affects the principal's inability 608 // to use the permission for the resource. The order of the deny rule matches 609 // the order of the rules in the deny policy. 610 // 611 // If the sender of the request does not have access to the policy, this field 612 // is omitted. 613 repeated DenyRuleExplanation rule_explanations = 3; 614 615 // The relevance of this policy to the overall access state in the 616 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse]. 617 // 618 // If the sender of the request does not have access to the policy, this field 619 // is omitted. 620 HeuristicRelevance relevance = 4; 621} 622 623// Details about how a deny rule in a deny policy affects a principal's ability 624// to use a permission. 625message DenyRuleExplanation { 626 // Details about whether the permission in the request is denied by the 627 // deny rule. 628 message AnnotatedPermissionMatching { 629 // Indicates whether the permission in the request is denied by the deny 630 // rule. 631 PermissionPatternMatchingState permission_matching_state = 1; 632 633 // The relevance of the permission status to the overall determination for 634 // the rule. 635 HeuristicRelevance relevance = 2; 636 } 637 638 // Details about whether the principal in the request is listed as a denied 639 // principal in the deny rule, either directly or through membership in a 640 // principal set. 641 message AnnotatedDenyPrincipalMatching { 642 // Indicates whether the principal is listed as a denied principal in the 643 // deny rule, either directly or through membership in a principal set. 644 MembershipMatchingState membership = 1; 645 646 // The relevance of the principal's status to the overall determination for 647 // the role binding. 648 HeuristicRelevance relevance = 2; 649 } 650 651 // Required. Indicates whether _this rule_ denies the specified permission to 652 // the specified principal for the specified resource. 653 // 654 // This field does _not_ indicate whether the principal is actually denied on 655 // the permission for the resource. There might be another rule that overrides 656 // this rule. To determine whether the principal actually has the permission, 657 // use the `overall_access_state` field in the 658 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse]. 659 DenyAccessState deny_access_state = 1 660 [(google.api.field_behavior) = REQUIRED]; 661 662 // Indicates whether the permission in the request is listed as a denied 663 // permission in the deny rule. 664 AnnotatedPermissionMatching combined_denied_permission = 2; 665 666 // Lists all denied permissions in the deny rule and indicates whether each 667 // permission matches the permission in the request. 668 // 669 // Each key identifies a denied permission in the rule, and each value 670 // indicates whether the denied permission matches the permission in the 671 // request. 672 map<string, AnnotatedPermissionMatching> denied_permissions = 3; 673 674 // Indicates whether the permission in the request is listed as an exception 675 // permission in the deny rule. 676 AnnotatedPermissionMatching combined_exception_permission = 4; 677 678 // Lists all exception permissions in the deny rule and indicates whether each 679 // permission matches the permission in the request. 680 // 681 // Each key identifies a exception permission in the rule, and each value 682 // indicates whether the exception permission matches the permission in the 683 // request. 684 map<string, AnnotatedPermissionMatching> exception_permissions = 5; 685 686 // Indicates whether the principal is listed as a denied principal in the 687 // deny rule, either directly or through membership in a principal set. 688 AnnotatedDenyPrincipalMatching combined_denied_principal = 6; 689 690 // Lists all denied principals in the deny rule and indicates whether each 691 // principal matches the principal in the request, either directly or through 692 // membership in a principal set. 693 // 694 // Each key identifies a denied principal in the rule, and each value 695 // indicates whether the denied principal matches the principal in the 696 // request. 697 map<string, AnnotatedDenyPrincipalMatching> denied_principals = 7; 698 699 // Indicates whether the principal is listed as an exception principal in the 700 // deny rule, either directly or through membership in a principal set. 701 AnnotatedDenyPrincipalMatching combined_exception_principal = 8; 702 703 // Lists all exception principals in the deny rule and indicates whether each 704 // principal matches the principal in the request, either directly or through 705 // membership in a principal set. 706 // 707 // Each key identifies a exception principal in the rule, and each value 708 // indicates whether the exception principal matches the principal in the 709 // request. 710 map<string, AnnotatedDenyPrincipalMatching> exception_principals = 9; 711 712 // The relevance of this role binding to the overall determination for the 713 // entire policy. 714 HeuristicRelevance relevance = 10; 715 716 // A condition expression that specifies when the deny rule denies the 717 // principal access. 718 // 719 // To learn about IAM Conditions, see 720 // https://cloud.google.com/iam/help/conditions/overview. 721 google.type.Expr condition = 11; 722 723 // Condition evaluation state for this role binding. 724 ConditionExplanation condition_explanation = 12; 725} 726 727// Explanation for how a condition affects a principal's access 728message ConditionExplanation { 729 // Evaluated state of a condition expression. 730 message EvaluationState { 731 // Start position of an expression in the condition, by character. 732 int32 start = 1; 733 734 // End position of an expression in the condition, by character, 735 // end included, for example: the end position of the first part of 736 // `a==b || c==d` would be 4. 737 int32 end = 2; 738 739 // Value of this expression. 740 google.protobuf.Value value = 3; 741 742 // Any errors that prevented complete evaluation of the condition 743 // expression. 744 repeated google.rpc.Status errors = 4; 745 } 746 747 // Value of the condition. 748 google.protobuf.Value value = 1; 749 750 // Any errors that prevented complete evaluation of the condition expression. 751 repeated google.rpc.Status errors = 3; 752 753 // The value of each statement of the condition expression. The value can be 754 // `true`, `false`, or `null`. The value is `null` if the statement can't be 755 // evaluated. 756 repeated EvaluationState evaluation_states = 2; 757} 758