1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.policytroubleshooter.iam.v3beta; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/iam/v1/policy.proto"; 23import "google/iam/v2/policy.proto"; 24import "google/protobuf/struct.proto"; 25import "google/protobuf/timestamp.proto"; 26import "google/rpc/status.proto"; 27import "google/type/expr.proto"; 28 29option cc_enable_arenas = true; 30option go_package = "cloud.google.com/go/policytroubleshooter/iam/apiv3beta/iampb;iampb"; 31option java_multiple_files = true; 32option java_outer_classname = "TroubleshooterProto"; 33option java_package = "com.google.cloud.policytroubleshooter.iam.v3beta"; 34 35// IAM Policy Troubleshooter service. 36// 37// This service helps you troubleshoot access issues for Google Cloud resources. 38service PolicyTroubleshooter { 39 option (google.api.default_host) = "policytroubleshooter.googleapis.com"; 40 option (google.api.oauth_scopes) = 41 "https://www.googleapis.com/auth/cloud-platform"; 42 43 // Checks whether a principal has a specific permission for a specific 44 // resource, and explains why the principal does or doesn't have that 45 // permission. 46 rpc TroubleshootIamPolicy(TroubleshootIamPolicyRequest) 47 returns (TroubleshootIamPolicyResponse) { 48 option (google.api.http) = { 49 post: "/v3beta/iam:troubleshoot" 50 body: "*" 51 }; 52 } 53} 54 55// Whether IAM allow policies gives the principal the permission. 56enum AllowAccessState { 57 // Not specified. 58 ALLOW_ACCESS_STATE_UNSPECIFIED = 0; 59 60 // The allow policy gives the principal the permission. 61 ALLOW_ACCESS_STATE_GRANTED = 1; 62 63 // The allow policy doesn't give the principal the permission. 64 ALLOW_ACCESS_STATE_NOT_GRANTED = 2; 65 66 // The allow policy gives the principal the permission if a condition 67 // expression evaluate to `true`. However, the sender of the request didn't 68 // provide enough context for Policy Troubleshooter to evaluate the condition 69 // expression. 70 ALLOW_ACCESS_STATE_UNKNOWN_CONDITIONAL = 3; 71 72 // The sender of the request doesn't have access to all of the allow policies 73 // that Policy Troubleshooter needs to evaluate the principal's access. 74 ALLOW_ACCESS_STATE_UNKNOWN_INFO = 4; 75} 76 77// Whether IAM deny policies deny the principal the permission. 78enum DenyAccessState { 79 // Not specified. 80 DENY_ACCESS_STATE_UNSPECIFIED = 0; 81 82 // The deny policy denies the principal the permission. 83 DENY_ACCESS_STATE_DENIED = 1; 84 85 // The deny policy doesn't deny the principal the permission. 86 DENY_ACCESS_STATE_NOT_DENIED = 2; 87 88 // The deny policy denies the principal the permission if a condition 89 // expression evaluates to `true`. However, the sender of the request didn't 90 // provide enough context for Policy Troubleshooter to evaluate the condition 91 // expression. 92 DENY_ACCESS_STATE_UNKNOWN_CONDITIONAL = 3; 93 94 // The sender of the request does not have access to all of the deny policies 95 // that Policy Troubleshooter needs to evaluate the principal's access. 96 DENY_ACCESS_STATE_UNKNOWN_INFO = 4; 97} 98 99// Whether a role includes a specific permission. 100enum RolePermissionInclusionState { 101 // Not specified. 102 ROLE_PERMISSION_INCLUSION_STATE_UNSPECIFIED = 0; 103 104 // The permission is included in the role. 105 ROLE_PERMISSION_INCLUDED = 1; 106 107 // The permission is not included in the role. 108 ROLE_PERMISSION_NOT_INCLUDED = 2; 109 110 // The sender of the request is not allowed to access the role definition. 111 ROLE_PERMISSION_UNKNOWN_INFO = 3; 112} 113 114// Whether the permission in the request matches the permission in the policy. 115enum PermissionPatternMatchingState { 116 // Not specified. 117 PERMISSION_PATTERN_MATCHING_STATE_UNSPECIFIED = 0; 118 119 // The permission in the request matches the permission in the policy. 120 PERMISSION_PATTERN_MATCHED = 1; 121 122 // The permission in the request matches the permission in the policy. 123 PERMISSION_PATTERN_NOT_MATCHED = 2; 124} 125 126// Whether the principal in the request matches the principal in the policy. 127enum MembershipMatchingState { 128 // Not specified. 129 MEMBERSHIP_MATCHING_STATE_UNSPECIFIED = 0; 130 131 // The principal in the request matches the principal in the policy. The 132 // principal can be included directly or indirectly: 133 // 134 // * A principal is included directly if that principal is listed in the 135 // role binding. 136 // * A principal is included indirectly if that principal is in a Google 137 // group, Google Workspace account, or Cloud Identity domain that is listed 138 // in the policy. 139 MEMBERSHIP_MATCHED = 1; 140 141 // The principal in the request doesn't match the principal in the policy. 142 MEMBERSHIP_NOT_MATCHED = 2; 143 144 // The principal in the policy is a group or domain, and the sender of the 145 // request doesn't have permission to view whether the principal in the 146 // request is a member of the group or domain. 147 MEMBERSHIP_UNKNOWN_INFO = 3; 148 149 // The principal is an unsupported type. 150 MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4; 151} 152 153// The extent to which a single data point contributes to an overall 154// determination. 155enum HeuristicRelevance { 156 // Not specified. 157 HEURISTIC_RELEVANCE_UNSPECIFIED = 0; 158 159 // The data point has a limited effect on the result. Changing the data point 160 // is unlikely to affect the overall determination. 161 HEURISTIC_RELEVANCE_NORMAL = 1; 162 163 // The data point has a strong effect on the result. Changing the data point 164 // is likely to affect the overall determination. 165 HEURISTIC_RELEVANCE_HIGH = 2; 166} 167 168// Request for 169// [TroubleshootIamPolicy][google.cloud.policytroubleshooter.iam.v3beta.PolicyTroubleshooter.TroubleshootIamPolicy]. 170message TroubleshootIamPolicyRequest { 171 // The information to use for checking whether a principal has a permission 172 // for a resource. 173 AccessTuple access_tuple = 1; 174} 175 176// Response for 177// [TroubleshootIamPolicy][google.cloud.policytroubleshooter.iam.v3beta.PolicyTroubleshooter.TroubleshootIamPolicy]. 178message TroubleshootIamPolicyResponse { 179 // Whether the principal has the permission on the resource. 180 enum OverallAccessState { 181 // Not specified. 182 OVERALL_ACCESS_STATE_UNSPECIFIED = 0; 183 184 // The principal has the permission. 185 CAN_ACCESS = 1; 186 187 // The principal doesn't have the permission. 188 CANNOT_ACCESS = 2; 189 190 // The principal might have the permission, but the sender can't access all 191 // of the information needed to fully evaluate the principal's access. 192 UNKNOWN_INFO = 3; 193 194 // The principal might have the permission, but Policy Troubleshooter can't 195 // fully evaluate the principal's access because the sender didn't provide 196 // the required context to evaluate the condition. 197 UNKNOWN_CONDITIONAL = 4; 198 } 199 200 // Indicates whether the principal has the specified permission for the 201 // specified resource, based on evaluating all types of the applicable IAM 202 // policies. 203 OverallAccessState overall_access_state = 1; 204 205 // The access tuple from the request, including any provided context used to 206 // evaluate the condition. 207 AccessTuple access_tuple = 2; 208 209 // An explanation of how the applicable IAM allow policies affect the final 210 // access state. 211 AllowPolicyExplanation allow_policy_explanation = 3; 212 213 // An explanation of how the applicable IAM deny policies affect the final 214 // access state. 215 DenyPolicyExplanation deny_policy_explanation = 4; 216} 217 218// Information about the principal, resource, and permission to check. 219message AccessTuple { 220 // Required. The email address of the principal whose access you want to 221 // check. For example, `[email protected]` or 222 // `[email protected]`. 223 // 224 // The principal must be a Google Account or a service account. Other types of 225 // principals are not supported. 226 string principal = 1 [(google.api.field_behavior) = REQUIRED]; 227 228 // Required. The full resource name that identifies the resource. For example, 229 // `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`. 230 // 231 // For examples of full resource names for Google Cloud services, see 232 // https://cloud.google.com/iam/help/troubleshooter/full-resource-names. 233 string full_resource_name = 2 [(google.api.field_behavior) = REQUIRED]; 234 235 // Required. The IAM permission to check for, either in the `v1` permission 236 // format or the `v2` permission format. 237 // 238 // For a complete list of IAM permissions in the `v1` format, see 239 // https://cloud.google.com/iam/help/permissions/reference. 240 // 241 // For a list of IAM permissions in the `v2` format, see 242 // https://cloud.google.com/iam/help/deny/supported-permissions. 243 // 244 // For a complete list of predefined IAM roles and the permissions in each 245 // role, see https://cloud.google.com/iam/help/roles/reference. 246 string permission = 3 [(google.api.field_behavior) = REQUIRED]; 247 248 // Output only. The permission that Policy Troubleshooter checked for, in 249 // the `v2` format. 250 string permission_fqdn = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 251 252 // Optional. Additional context for the request, such as the request time or 253 // IP address. This context allows Policy Troubleshooter to troubleshoot 254 // conditional role bindings and deny rules. 255 ConditionContext condition_context = 5 256 [(google.api.field_behavior) = OPTIONAL]; 257} 258 259// Additional context for troubleshooting conditional role bindings and deny 260// rules. 261message ConditionContext { 262 // Core attributes for a resource. A resource is an 263 // addressable (named) entity provided by the destination service. For 264 // example, a Compute Engine instance. 265 message Resource { 266 // The name of the service that this resource belongs to, such as 267 // `compute.googleapis.com`. The service name might not match the DNS 268 // hostname that actually serves the request. 269 // 270 // For a full list of resource service values, see 271 // https://cloud.google.com/iam/help/conditions/resource-services 272 string service = 1; 273 274 // The stable identifier (name) of a resource on the `service`. A resource 275 // can be logically identified as `//{resource.service}/{resource.name}`. 276 // Unlike the resource URI, the resource name doesn't contain any protocol 277 // and version information. 278 // 279 // For a list of full resource name formats, see 280 // https://cloud.google.com/iam/help/troubleshooter/full-resource-names 281 string name = 2; 282 283 // The type of the resource, in the format `{service}/{kind}`. 284 // 285 // For a full list of resource type values, see 286 // https://cloud.google.com/iam/help/conditions/resource-types 287 string type = 3; 288 } 289 290 // This message defines attributes for a node that handles a network request. 291 // The node can be either a service or an application that sends, forwards, 292 // or receives the request. Service peers should fill in 293 // `principal` and `labels` as appropriate. 294 message Peer { 295 // The IPv4 or IPv6 address of the peer. 296 string ip = 1; 297 298 // The network port of the peer. 299 int64 port = 2; 300 } 301 302 // This message defines attributes for an HTTP request. If the actual 303 // request is not an HTTP request, the runtime system should try to map 304 // the actual request to an equivalent HTTP request. 305 message Request { 306 // Optional. The timestamp when the destination service receives the first 307 // byte of the request. 308 google.protobuf.Timestamp receive_time = 1 309 [(google.api.field_behavior) = OPTIONAL]; 310 } 311 312 // A tag that applies to a resource during policy evaluation. Tags can be 313 // either directly bound to a resource or inherited from its ancestor. 314 // `EffectiveTag` contains the `name` and `namespaced_name` of the tag value 315 // and tag key, with additional fields of `inherited` to indicate the 316 // inheritance status of the effective tag. 317 message EffectiveTag { 318 // Output only. Resource name for TagValue in the format `tagValues/456`. 319 string tag_value = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 320 321 // Output only. The namespaced name of the TagValue. Can be in the form 322 // `{organization_id}/{tag_key_short_name}/{tag_value_short_name}` or 323 // `{project_id}/{tag_key_short_name}/{tag_value_short_name}` or 324 // `{project_number}/{tag_key_short_name}/{tag_value_short_name}`. 325 string namespaced_tag_value = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 326 327 // Output only. The name of the TagKey, in the format `tagKeys/{id}`, such 328 // as `tagKeys/123`. 329 string tag_key = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; 330 331 // Output only. The namespaced name of the TagKey. Can be in the form 332 // `{organization_id}/{tag_key_short_name}` or 333 // `{project_id}/{tag_key_short_name}` or 334 // `{project_number}/{tag_key_short_name}`. 335 string namespaced_tag_key = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 336 337 // The parent name of the tag key. 338 // Must be in the format `organizations/{organization_id}` or 339 // `projects/{project_number}` 340 string tag_key_parent_name = 6; 341 342 // Output only. Indicates the inheritance status of a tag value 343 // attached to the given resource. If the tag value is inherited from one of 344 // the resource's ancestors, inherited will be true. If false, then the tag 345 // value is directly attached to the resource, inherited will be false. 346 bool inherited = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 347 } 348 349 // Represents a target resource that is involved with a network activity. 350 // If multiple resources are involved with an activity, this must be the 351 // primary one. 352 Resource resource = 1; 353 354 // The destination of a network activity, such as accepting a TCP connection. 355 // In a multi-hop network activity, the destination represents the receiver of 356 // the last hop. 357 Peer destination = 2; 358 359 // Represents a network request, such as an HTTP request. 360 Request request = 3; 361 362 // Output only. The effective tags on the resource. The effective tags are 363 // fetched during troubleshooting. 364 repeated EffectiveTag effective_tags = 4 365 [(google.api.field_behavior) = OUTPUT_ONLY]; 366} 367 368// Details about how the relevant IAM allow policies affect the final access 369// state. 370message AllowPolicyExplanation { 371 // Indicates whether the principal has the specified permission for the 372 // specified resource, based on evaluating all applicable IAM allow policies. 373 AllowAccessState allow_access_state = 1; 374 375 // List of IAM allow policies that were evaluated to check the principal's 376 // permissions, with annotations to indicate how each policy contributed to 377 // the final result. 378 // 379 // The list of policies includes the policy for the resource itself, as well 380 // as allow policies that are inherited from higher levels of the resource 381 // hierarchy, including the organization, the folder, and the project. 382 // 383 // To learn more about the resource hierarchy, see 384 // https://cloud.google.com/iam/help/resource-hierarchy. 385 repeated ExplainedAllowPolicy explained_policies = 2; 386 387 // The relevance of the allow policy type to the overall access state. 388 HeuristicRelevance relevance = 3; 389} 390 391// Details about how a specific IAM allow policy contributed to the final access 392// state. 393message ExplainedAllowPolicy { 394 // Required. Indicates whether _this policy_ provides the specified permission 395 // to the specified principal for the specified resource. 396 // 397 // This field does _not_ indicate whether the principal actually has the 398 // permission for the resource. There might be another policy that overrides 399 // this policy. To determine whether the principal actually has the 400 // permission, use the `overall_access_state` field in the 401 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3beta.TroubleshootIamPolicyResponse]. 402 AllowAccessState allow_access_state = 1 403 [(google.api.field_behavior) = REQUIRED]; 404 405 // The full resource name that identifies the resource. For example, 406 // `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`. 407 // 408 // If the sender of the request does not have access to the policy, this field 409 // is omitted. 410 // 411 // For examples of full resource names for Google Cloud services, see 412 // https://cloud.google.com/iam/help/troubleshooter/full-resource-names. 413 string full_resource_name = 2; 414 415 // Details about how each role binding in the policy affects the principal's 416 // ability, or inability, to use the permission for the resource. The order of 417 // the role bindings matches the role binding order in the policy. 418 // 419 // If the sender of the request does not have access to the policy, this field 420 // is omitted. 421 repeated AllowBindingExplanation binding_explanations = 3; 422 423 // The relevance of this policy to the overall access state in the 424 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3beta.TroubleshootIamPolicyResponse]. 425 // 426 // If the sender of the request does not have access to the policy, this field 427 // is omitted. 428 HeuristicRelevance relevance = 4; 429 430 // The IAM allow policy attached to the resource. 431 // 432 // If the sender of the request does not have access to the policy, this field 433 // is empty. 434 google.iam.v1.Policy policy = 5; 435} 436 437// Details about how a role binding in an allow policy affects a principal's 438// ability to use a permission. 439message AllowBindingExplanation { 440 // Details about whether the role binding includes the principal. 441 message AnnotatedAllowMembership { 442 // Indicates whether the role binding includes the principal. 443 MembershipMatchingState membership = 1; 444 445 // The relevance of the principal's status to the overall determination for 446 // the role binding. 447 HeuristicRelevance relevance = 2; 448 } 449 450 // Required. Indicates whether _this role binding_ gives the specified 451 // permission to the specified principal on the specified resource. 452 // 453 // This field does _not_ indicate whether the principal actually has the 454 // permission on the resource. There might be another role binding that 455 // overrides this role binding. To determine whether the principal actually 456 // has the permission, use the `overall_access_state` field in the 457 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3beta.TroubleshootIamPolicyResponse]. 458 AllowAccessState allow_access_state = 1 459 [(google.api.field_behavior) = REQUIRED]; 460 461 // The role that this role binding grants. For example, 462 // `roles/compute.admin`. 463 // 464 // For a complete list of predefined IAM roles, as well as the permissions in 465 // each role, see https://cloud.google.com/iam/help/roles/reference. 466 string role = 2; 467 468 // Indicates whether the role granted by this role binding contains the 469 // specified permission. 470 RolePermissionInclusionState role_permission = 3; 471 472 // The relevance of the permission's existence, or nonexistence, in the role 473 // to the overall determination for the entire policy. 474 HeuristicRelevance role_permission_relevance = 4; 475 476 // The combined result of all memberships. Indicates if the principal is 477 // included in any role binding, either directly or indirectly. 478 AnnotatedAllowMembership combined_membership = 5; 479 480 // Indicates whether each role binding includes the principal specified in the 481 // request, either directly or indirectly. Each key identifies a principal in 482 // the role binding, and each value indicates whether the principal in the 483 // role binding includes the principal in the request. 484 // 485 // For example, suppose that a role binding includes the following principals: 486 // 487 // * `user:[email protected]` 488 // * `group:[email protected]` 489 // 490 // You want to troubleshoot access for `user:[email protected]`. This user is a 491 // member of the group `group:[email protected]`. 492 // 493 // For the first principal in the role binding, the key is 494 // `user:[email protected]`, and the `membership` field in the value is set to 495 // `NOT_INCLUDED`. 496 // 497 // For the second principal in the role binding, the key is 498 // `group:[email protected]`, and the `membership` field in the value is 499 // set to `INCLUDED`. 500 map<string, AnnotatedAllowMembership> memberships = 6; 501 502 // The relevance of this role binding to the overall determination for the 503 // entire policy. 504 HeuristicRelevance relevance = 7; 505 506 // A condition expression that specifies when the role binding grants access. 507 // 508 // To learn about IAM Conditions, see 509 // https://cloud.google.com/iam/help/conditions/overview. 510 google.type.Expr condition = 8; 511 512 // Condition evaluation state for this role binding. 513 ConditionExplanation condition_explanation = 9; 514} 515 516// Details about how the relevant IAM deny policies affect the final access 517// state. 518message DenyPolicyExplanation { 519 // Indicates whether the principal is denied the specified permission for 520 // the specified resource, based on evaluating all applicable IAM deny 521 // policies. 522 DenyAccessState deny_access_state = 1; 523 524 // List of resources with IAM deny policies that were evaluated to check the 525 // principal's denied permissions, with annotations to indicate how each 526 // policy contributed to the final result. 527 // 528 // The list of resources includes the policy for the resource itself, as well 529 // as policies that are inherited from higher levels of the resource 530 // hierarchy, including the organization, the folder, and the project. The 531 // order of the resources starts from the resource and climbs up the resource 532 // hierarchy. 533 // 534 // To learn more about the resource hierarchy, see 535 // https://cloud.google.com/iam/help/resource-hierarchy. 536 repeated ExplainedDenyResource explained_resources = 2; 537 538 // The relevance of the deny policy result to the overall access state. 539 HeuristicRelevance relevance = 3; 540 541 // Indicates whether the permission to troubleshoot is supported in deny 542 // policies. 543 bool permission_deniable = 4; 544} 545 546// Details about how a specific resource contributed to the deny policy 547// evaluation. 548message ExplainedDenyResource { 549 // Required. Indicates whether any policies attached to _this resource_ deny 550 // the specific permission to the specified principal for the specified 551 // resource. 552 // 553 // This field does _not_ indicate whether the principal actually has the 554 // permission for the resource. There might be another policy that overrides 555 // this policy. To determine whether the principal actually has the 556 // permission, use the `overall_access_state` field in the 557 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3beta.TroubleshootIamPolicyResponse]. 558 DenyAccessState deny_access_state = 1 559 [(google.api.field_behavior) = REQUIRED]; 560 561 // The full resource name that identifies the resource. For example, 562 // `//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`. 563 // 564 // If the sender of the request does not have access to the policy, this field 565 // is omitted. 566 // 567 // For examples of full resource names for Google Cloud services, see 568 // https://cloud.google.com/iam/help/troubleshooter/full-resource-names. 569 string full_resource_name = 2; 570 571 // List of IAM deny policies that were evaluated to check the principal's 572 // denied permissions, with annotations to indicate how each policy 573 // contributed to the final result. 574 repeated ExplainedDenyPolicy explained_policies = 3; 575 576 // The relevance of this policy to the overall access state in the 577 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3beta.TroubleshootIamPolicyResponse]. 578 // 579 // If the sender of the request does not have access to the policy, this field 580 // is omitted. 581 HeuristicRelevance relevance = 4; 582} 583 584// Details about how a specific IAM deny policy [Policy][google.iam.v2.Policy] 585// contributed to the access check. 586message ExplainedDenyPolicy { 587 // Required. Indicates whether _this policy_ denies the specified permission 588 // to the specified principal for the specified resource. 589 // 590 // This field does _not_ indicate whether the principal actually has the 591 // permission for the resource. There might be another policy that overrides 592 // this policy. To determine whether the principal actually has the 593 // permission, use the `overall_access_state` field in the 594 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3beta.TroubleshootIamPolicyResponse]. 595 DenyAccessState deny_access_state = 1 596 [(google.api.field_behavior) = REQUIRED]; 597 598 // The IAM deny policy attached to the resource. 599 // 600 // If the sender of the request does not have access to the policy, this field 601 // is omitted. 602 google.iam.v2.Policy policy = 2; 603 604 // Details about how each rule in the policy affects the principal's inability 605 // to use the permission for the resource. The order of the deny rule matches 606 // the order of the rules in the deny policy. 607 // 608 // If the sender of the request does not have access to the policy, this field 609 // is omitted. 610 repeated DenyRuleExplanation rule_explanations = 3; 611 612 // The relevance of this policy to the overall access state in the 613 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3beta.TroubleshootIamPolicyResponse]. 614 // 615 // If the sender of the request does not have access to the policy, this field 616 // is omitted. 617 HeuristicRelevance relevance = 4; 618} 619 620// Details about how a deny rule in a deny policy affects a principal's ability 621// to use a permission. 622message DenyRuleExplanation { 623 // Details about whether the permission in the request is denied by the 624 // deny rule. 625 message AnnotatedPermissionMatching { 626 // Indicates whether the permission in the request is denied by the deny 627 // rule. 628 PermissionPatternMatchingState permission_matching_state = 1; 629 630 // The relevance of the permission status to the overall determination for 631 // the rule. 632 HeuristicRelevance relevance = 2; 633 } 634 635 // Details about whether the principal in the request is listed as a denied 636 // principal in the deny rule, either directly or through membership in a 637 // principal set. 638 message AnnotatedDenyPrincipalMatching { 639 // Indicates whether the principal is listed as a denied principal in the 640 // deny rule, either directly or through membership in a principal set. 641 MembershipMatchingState membership = 1; 642 643 // The relevance of the principal's status to the overall determination for 644 // the role binding. 645 HeuristicRelevance relevance = 2; 646 } 647 648 // Required. Indicates whether _this rule_ denies the specified permission to 649 // the specified principal for the specified resource. 650 // 651 // This field does _not_ indicate whether the principal is actually denied on 652 // the permission for the resource. There might be another rule that overrides 653 // this rule. To determine whether the principal actually has the permission, 654 // use the `overall_access_state` field in the 655 // [TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3beta.TroubleshootIamPolicyResponse]. 656 DenyAccessState deny_access_state = 1 657 [(google.api.field_behavior) = REQUIRED]; 658 659 // Indicates whether the permission in the request is listed as a denied 660 // permission in the deny rule. 661 AnnotatedPermissionMatching combined_denied_permission = 2; 662 663 // Lists all denied permissions in the deny rule and indicates whether each 664 // permission matches the permission in the request. 665 // 666 // Each key identifies a denied permission in the rule, and each value 667 // indicates whether the denied permission matches the permission in the 668 // request. 669 map<string, AnnotatedPermissionMatching> denied_permissions = 3; 670 671 // Indicates whether the permission in the request is listed as an exception 672 // permission in the deny rule. 673 AnnotatedPermissionMatching combined_exception_permission = 4; 674 675 // Lists all exception permissions in the deny rule and indicates whether each 676 // permission matches the permission in the request. 677 // 678 // Each key identifies a exception permission in the rule, and each value 679 // indicates whether the exception permission matches the permission in the 680 // request. 681 map<string, AnnotatedPermissionMatching> exception_permissions = 5; 682 683 // Indicates whether the principal is listed as a denied principal in the 684 // deny rule, either directly or through membership in a principal set. 685 AnnotatedDenyPrincipalMatching combined_denied_principal = 6; 686 687 // Lists all denied principals in the deny rule and indicates whether each 688 // principal matches the principal in the request, either directly or through 689 // membership in a principal set. 690 // 691 // Each key identifies a denied principal in the rule, and each value 692 // indicates whether the denied principal matches the principal in the 693 // request. 694 map<string, AnnotatedDenyPrincipalMatching> denied_principals = 7; 695 696 // Indicates whether the principal is listed as an exception principal in the 697 // deny rule, either directly or through membership in a principal set. 698 AnnotatedDenyPrincipalMatching combined_exception_principal = 8; 699 700 // Lists all exception principals in the deny rule and indicates whether each 701 // principal matches the principal in the request, either directly or through 702 // membership in a principal set. 703 // 704 // Each key identifies a exception principal in the rule, and each value 705 // indicates whether the exception principal matches the principal in the 706 // request. 707 map<string, AnnotatedDenyPrincipalMatching> exception_principals = 9; 708 709 // The relevance of this role binding to the overall determination for the 710 // entire policy. 711 HeuristicRelevance relevance = 10; 712 713 // A condition expression that specifies when the deny rule denies the 714 // principal access. 715 // 716 // To learn about IAM Conditions, see 717 // https://cloud.google.com/iam/help/conditions/overview. 718 google.type.Expr condition = 11; 719 720 // Condition evaluation state for this role binding. 721 ConditionExplanation condition_explanation = 12; 722} 723 724// Explanation for how a condition affects a principal's access 725message ConditionExplanation { 726 // Evaluated state of a condition expression. 727 message EvaluationState { 728 // Start position of an expression in the condition, by character. 729 int32 start = 1; 730 731 // End position of an expression in the condition, by character, 732 // end included, for example: the end position of the first part of 733 // `a==b || c==d` would be 4. 734 int32 end = 2; 735 736 // Value of this expression. 737 google.protobuf.Value value = 3; 738 739 // Any errors that prevented complete evaluation of the condition 740 // expression. 741 repeated google.rpc.Status errors = 4; 742 } 743 744 // Value of the condition. 745 google.protobuf.Value value = 1; 746 747 // Any errors that prevented complete evaluation of the condition expression. 748 repeated google.rpc.Status errors = 3; 749 750 // The value of each statement of the condition expression. The value can be 751 // `true`, `false`, or `null`. The value is `null` if the statement can't be 752 // evaluated. 753 repeated EvaluationState evaluation_states = 2; 754} 755