1// Copyright 2022 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.identity.accesscontextmanager.v1;
18
19import "google/api/annotations.proto";
20import "google/api/client.proto";
21import "google/api/field_behavior.proto";
22import "google/api/resource.proto";
23import "google/iam/v1/iam_policy.proto";
24import "google/iam/v1/policy.proto";
25import "google/identity/accesscontextmanager/v1/access_level.proto";
26import "google/identity/accesscontextmanager/v1/access_policy.proto";
27import "google/identity/accesscontextmanager/v1/gcp_user_access_binding.proto";
28import "google/identity/accesscontextmanager/v1/service_perimeter.proto";
29import "google/longrunning/operations.proto";
30import "google/protobuf/field_mask.proto";
31
32option csharp_namespace = "Google.Identity.AccessContextManager.V1";
33option go_package = "cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb";
34option java_multiple_files = true;
35option java_outer_classname = "AccessContextManagerProto";
36option java_package = "com.google.identity.accesscontextmanager.v1";
37option objc_class_prefix = "GACM";
38option php_namespace = "Google\\Identity\\AccessContextManager\\V1";
39option ruby_package = "Google::Identity::AccessContextManager::V1";
40
41// API for setting [access levels]
42// [google.identity.accesscontextmanager.v1.AccessLevel] and [service
43// perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]
44// for Google Cloud projects. Each organization has one [access policy]
45// [google.identity.accesscontextmanager.v1.AccessPolicy] that contains the
46// [access levels] [google.identity.accesscontextmanager.v1.AccessLevel]
47// and [service perimeters]
48// [google.identity.accesscontextmanager.v1.ServicePerimeter]. This
49// [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy] is
50// applicable to all resources in the organization.
51// AccessPolicies
52service AccessContextManager {
53  option (google.api.default_host) = "accesscontextmanager.googleapis.com";
54  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
55
56  // Lists all [access policies]
57  // [google.identity.accesscontextmanager.v1.AccessPolicy] in an
58  // organization.
59  rpc ListAccessPolicies(ListAccessPoliciesRequest) returns (ListAccessPoliciesResponse) {
60    option (google.api.http) = {
61      get: "/v1/accessPolicies"
62    };
63  }
64
65  // Returns an [access policy]
66  // [google.identity.accesscontextmanager.v1.AccessPolicy] based on the name.
67  rpc GetAccessPolicy(GetAccessPolicyRequest) returns (AccessPolicy) {
68    option (google.api.http) = {
69      get: "/v1/{name=accessPolicies/*}"
70    };
71    option (google.api.method_signature) = "name";
72  }
73
74  // Creates an access policy. This method fails if the organization already has
75  // an access policy. The long-running operation has a successful status
76  // after the access policy propagates to long-lasting storage.
77  // Syntactic and basic semantic errors are returned in `metadata` as a
78  // BadRequest proto.
79  rpc CreateAccessPolicy(AccessPolicy) returns (google.longrunning.Operation) {
80    option (google.api.http) = {
81      post: "/v1/accessPolicies"
82      body: "*"
83    };
84    option (google.longrunning.operation_info) = {
85      response_type: "AccessPolicy"
86      metadata_type: "AccessContextManagerOperationMetadata"
87    };
88  }
89
90  // Updates an [access policy]
91  // [google.identity.accesscontextmanager.v1.AccessPolicy]. The
92  // long-running operation from this RPC has a successful status after the
93  // changes to the [access policy]
94  // [google.identity.accesscontextmanager.v1.AccessPolicy] propagate
95  // to long-lasting storage.
96  rpc UpdateAccessPolicy(UpdateAccessPolicyRequest) returns (google.longrunning.Operation) {
97    option (google.api.http) = {
98      patch: "/v1/{policy.name=accessPolicies/*}"
99      body: "policy"
100    };
101    option (google.api.method_signature) = "policy,update_mask";
102    option (google.longrunning.operation_info) = {
103      response_type: "AccessPolicy"
104      metadata_type: "AccessContextManagerOperationMetadata"
105    };
106  }
107
108  // Deletes an [access policy]
109  // [google.identity.accesscontextmanager.v1.AccessPolicy] based on the
110  // resource name. The long-running operation has a successful status after the
111  // [access policy] [google.identity.accesscontextmanager.v1.AccessPolicy]
112  // is removed from long-lasting storage.
113  rpc DeleteAccessPolicy(DeleteAccessPolicyRequest) returns (google.longrunning.Operation) {
114    option (google.api.http) = {
115      delete: "/v1/{name=accessPolicies/*}"
116    };
117    option (google.api.method_signature) = "name";
118    option (google.longrunning.operation_info) = {
119      response_type: "google.protobuf.Empty"
120      metadata_type: "AccessContextManagerOperationMetadata"
121    };
122  }
123
124  // Lists all [access levels]
125  // [google.identity.accesscontextmanager.v1.AccessLevel] for an access
126  // policy.
127  rpc ListAccessLevels(ListAccessLevelsRequest) returns (ListAccessLevelsResponse) {
128    option (google.api.http) = {
129      get: "/v1/{parent=accessPolicies/*}/accessLevels"
130    };
131    option (google.api.method_signature) = "parent";
132  }
133
134  // Gets an [access level]
135  // [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
136  // name.
137  rpc GetAccessLevel(GetAccessLevelRequest) returns (AccessLevel) {
138    option (google.api.http) = {
139      get: "/v1/{name=accessPolicies/*/accessLevels/*}"
140    };
141    option (google.api.method_signature) = "name";
142  }
143
144  // Creates an [access level]
145  // [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
146  // operation from this RPC has a successful status after the [access
147  // level] [google.identity.accesscontextmanager.v1.AccessLevel]
148  // propagates to long-lasting storage. If [access levels]
149  // [google.identity.accesscontextmanager.v1.AccessLevel] contain
150  // errors, an error response is returned for the first error encountered.
151  rpc CreateAccessLevel(CreateAccessLevelRequest) returns (google.longrunning.Operation) {
152    option (google.api.http) = {
153      post: "/v1/{parent=accessPolicies/*}/accessLevels"
154      body: "access_level"
155    };
156    option (google.api.method_signature) = "parent,access_level";
157    option (google.longrunning.operation_info) = {
158      response_type: "AccessLevel"
159      metadata_type: "AccessContextManagerOperationMetadata"
160    };
161  }
162
163  // Updates an [access level]
164  // [google.identity.accesscontextmanager.v1.AccessLevel]. The long-running
165  // operation from this RPC has a successful status after the changes to
166  // the [access level]
167  // [google.identity.accesscontextmanager.v1.AccessLevel] propagate
168  // to long-lasting storage. If [access levels]
169  // [google.identity.accesscontextmanager.v1.AccessLevel] contain
170  // errors, an error response is returned for the first error encountered.
171  rpc UpdateAccessLevel(UpdateAccessLevelRequest) returns (google.longrunning.Operation) {
172    option (google.api.http) = {
173      patch: "/v1/{access_level.name=accessPolicies/*/accessLevels/*}"
174      body: "access_level"
175    };
176    option (google.api.method_signature) = "access_level,update_mask";
177    option (google.longrunning.operation_info) = {
178      response_type: "AccessLevel"
179      metadata_type: "AccessContextManagerOperationMetadata"
180    };
181  }
182
183  // Deletes an [access level]
184  // [google.identity.accesscontextmanager.v1.AccessLevel] based on the resource
185  // name. The long-running operation from this RPC has a successful status
186  // after the [access level]
187  // [google.identity.accesscontextmanager.v1.AccessLevel] has been removed
188  // from long-lasting storage.
189  rpc DeleteAccessLevel(DeleteAccessLevelRequest) returns (google.longrunning.Operation) {
190    option (google.api.http) = {
191      delete: "/v1/{name=accessPolicies/*/accessLevels/*}"
192    };
193    option (google.api.method_signature) = "name";
194    option (google.longrunning.operation_info) = {
195      response_type: "google.protobuf.Empty"
196      metadata_type: "AccessContextManagerOperationMetadata"
197    };
198  }
199
200  // Replaces all existing [access levels]
201  // [google.identity.accesscontextmanager.v1.AccessLevel] in an [access
202  // policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with
203  // the [access levels]
204  // [google.identity.accesscontextmanager.v1.AccessLevel] provided. This
205  // is done atomically. The long-running operation from this RPC has a
206  // successful status after all replacements propagate to long-lasting
207  // storage. If the replacement contains errors, an error response is returned
208  // for the first error encountered.  Upon error, the replacement is cancelled,
209  // and existing [access levels]
210  // [google.identity.accesscontextmanager.v1.AccessLevel] are not
211  // affected. The Operation.response field contains
212  // ReplaceAccessLevelsResponse. Removing [access levels]
213  // [google.identity.accesscontextmanager.v1.AccessLevel] contained in existing
214  // [service perimeters]
215  // [google.identity.accesscontextmanager.v1.ServicePerimeter] result in an
216  // error.
217  rpc ReplaceAccessLevels(ReplaceAccessLevelsRequest) returns (google.longrunning.Operation) {
218    option (google.api.http) = {
219      post: "/v1/{parent=accessPolicies/*}/accessLevels:replaceAll"
220      body: "*"
221    };
222    option (google.longrunning.operation_info) = {
223      response_type: "ReplaceAccessLevelsResponse"
224      metadata_type: "AccessContextManagerOperationMetadata"
225    };
226  }
227
228  // Lists all [service perimeters]
229  // [google.identity.accesscontextmanager.v1.ServicePerimeter] for an
230  // access policy.
231  rpc ListServicePerimeters(ListServicePerimetersRequest) returns (ListServicePerimetersResponse) {
232    option (google.api.http) = {
233      get: "/v1/{parent=accessPolicies/*}/servicePerimeters"
234    };
235    option (google.api.method_signature) = "parent";
236  }
237
238  // Gets a [service perimeter]
239  // [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
240  // resource name.
241  rpc GetServicePerimeter(GetServicePerimeterRequest) returns (ServicePerimeter) {
242    option (google.api.http) = {
243      get: "/v1/{name=accessPolicies/*/servicePerimeters/*}"
244    };
245    option (google.api.method_signature) = "name";
246  }
247
248  // Creates a [service perimeter]
249  // [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
250  // long-running operation from this RPC has a successful status after the
251  // [service perimeter]
252  // [google.identity.accesscontextmanager.v1.ServicePerimeter]
253  // propagates to long-lasting storage. If a [service perimeter]
254  // [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
255  // errors, an error response is returned for the first error encountered.
256  rpc CreateServicePerimeter(CreateServicePerimeterRequest) returns (google.longrunning.Operation) {
257    option (google.api.http) = {
258      post: "/v1/{parent=accessPolicies/*}/servicePerimeters"
259      body: "service_perimeter"
260    };
261    option (google.api.method_signature) = "parent,service_perimeter";
262    option (google.longrunning.operation_info) = {
263      response_type: "ServicePerimeter"
264      metadata_type: "AccessContextManagerOperationMetadata"
265    };
266  }
267
268  // Updates a [service perimeter]
269  // [google.identity.accesscontextmanager.v1.ServicePerimeter]. The
270  // long-running operation from this RPC has a successful status after the
271  // [service perimeter]
272  // [google.identity.accesscontextmanager.v1.ServicePerimeter]
273  // propagates to long-lasting storage. If a [service perimeter]
274  // [google.identity.accesscontextmanager.v1.ServicePerimeter] contains
275  // errors, an error response is returned for the first error encountered.
276  rpc UpdateServicePerimeter(UpdateServicePerimeterRequest) returns (google.longrunning.Operation) {
277    option (google.api.http) = {
278      patch: "/v1/{service_perimeter.name=accessPolicies/*/servicePerimeters/*}"
279      body: "service_perimeter"
280    };
281    option (google.api.method_signature) = "service_perimeter,update_mask";
282    option (google.longrunning.operation_info) = {
283      response_type: "ServicePerimeter"
284      metadata_type: "AccessContextManagerOperationMetadata"
285    };
286  }
287
288  // Deletes a [service perimeter]
289  // [google.identity.accesscontextmanager.v1.ServicePerimeter] based on the
290  // resource name. The long-running operation from this RPC has a successful
291  // status after the [service perimeter]
292  // [google.identity.accesscontextmanager.v1.ServicePerimeter] is removed from
293  // long-lasting storage.
294  rpc DeleteServicePerimeter(DeleteServicePerimeterRequest) returns (google.longrunning.Operation) {
295    option (google.api.http) = {
296      delete: "/v1/{name=accessPolicies/*/servicePerimeters/*}"
297    };
298    option (google.api.method_signature) = "name";
299    option (google.longrunning.operation_info) = {
300      response_type: "google.protobuf.Empty"
301      metadata_type: "AccessContextManagerOperationMetadata"
302    };
303  }
304
305  // Replace all existing [service perimeters]
306  // [google.identity.accesscontextmanager.v1.ServicePerimeter] in an [access
307  // policy] [google.identity.accesscontextmanager.v1.AccessPolicy] with the
308  // [service perimeters]
309  // [google.identity.accesscontextmanager.v1.ServicePerimeter] provided. This
310  // is done atomically. The long-running operation from this RPC has a
311  // successful status after all replacements propagate to long-lasting storage.
312  // Replacements containing errors result in an error response for the first
313  // error encountered. Upon an error, replacement are cancelled and existing
314  // [service perimeters]
315  // [google.identity.accesscontextmanager.v1.ServicePerimeter] are not
316  // affected. The Operation.response field contains
317  // ReplaceServicePerimetersResponse.
318  rpc ReplaceServicePerimeters(ReplaceServicePerimetersRequest) returns (google.longrunning.Operation) {
319    option (google.api.http) = {
320      post: "/v1/{parent=accessPolicies/*}/servicePerimeters:replaceAll"
321      body: "*"
322    };
323    option (google.longrunning.operation_info) = {
324      response_type: "ReplaceServicePerimetersResponse"
325      metadata_type: "AccessContextManagerOperationMetadata"
326    };
327  }
328
329  // Commits the dry-run specification for all the [service perimeters]
330  // [google.identity.accesscontextmanager.v1.ServicePerimeter] in an
331  // [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
332  // A commit operation on a service perimeter involves copying its `spec` field
333  // to the `status` field of the service perimeter. Only [service perimeters]
334  // [google.identity.accesscontextmanager.v1.ServicePerimeter] with
335  // `use_explicit_dry_run_spec` field set to true are affected by a commit
336  // operation. The long-running operation from this RPC has a successful
337  // status after the dry-run specifications for all the [service perimeters]
338  // [google.identity.accesscontextmanager.v1.ServicePerimeter] have been
339  // committed. If a commit fails, it causes the long-running operation to
340  // return an error response and the entire commit operation is cancelled.
341  // When successful, the Operation.response field contains
342  // CommitServicePerimetersResponse. The `dry_run` and the `spec` fields are
343  // cleared after a successful commit operation.
344  rpc CommitServicePerimeters(CommitServicePerimetersRequest) returns (google.longrunning.Operation) {
345    option (google.api.http) = {
346      post: "/v1/{parent=accessPolicies/*}/servicePerimeters:commit"
347      body: "*"
348    };
349    option (google.longrunning.operation_info) = {
350      response_type: "CommitServicePerimetersResponse"
351      metadata_type: "AccessContextManagerOperationMetadata"
352    };
353  }
354
355  // Lists all [GcpUserAccessBindings]
356  // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] for a
357  // Google Cloud organization.
358  rpc ListGcpUserAccessBindings(ListGcpUserAccessBindingsRequest) returns (ListGcpUserAccessBindingsResponse) {
359    option (google.api.http) = {
360      get: "/v1/{parent=organizations/*}/gcpUserAccessBindings"
361    };
362    option (google.api.method_signature) = "parent";
363  }
364
365  // Gets the [GcpUserAccessBinding]
366  // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding] with
367  // the given name.
368  rpc GetGcpUserAccessBinding(GetGcpUserAccessBindingRequest) returns (GcpUserAccessBinding) {
369    option (google.api.http) = {
370      get: "/v1/{name=organizations/*/gcpUserAccessBindings/*}"
371    };
372    option (google.api.method_signature) = "name";
373  }
374
375  // Creates a [GcpUserAccessBinding]
376  // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]. If the
377  // client specifies a [name]
378  // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.name],
379  // the server ignores it. Fails if a resource already exists with the same
380  // [group_key]
381  // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding.group_key].
382  // Completion of this long-running operation does not necessarily signify that
383  // the new binding is deployed onto all affected users, which may take more
384  // time.
385  rpc CreateGcpUserAccessBinding(CreateGcpUserAccessBindingRequest) returns (google.longrunning.Operation) {
386    option (google.api.http) = {
387      post: "/v1/{parent=organizations/*}/gcpUserAccessBindings"
388      body: "gcp_user_access_binding"
389    };
390    option (google.api.method_signature) = "parent,gcp_user_access_binding";
391    option (google.longrunning.operation_info) = {
392      response_type: "GcpUserAccessBinding"
393      metadata_type: "GcpUserAccessBindingOperationMetadata"
394    };
395  }
396
397  // Updates a [GcpUserAccessBinding]
398  // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding].
399  // Completion of this long-running operation does not necessarily signify that
400  // the changed binding is deployed onto all affected users, which may take
401  // more time.
402  rpc UpdateGcpUserAccessBinding(UpdateGcpUserAccessBindingRequest) returns (google.longrunning.Operation) {
403    option (google.api.http) = {
404      patch: "/v1/{gcp_user_access_binding.name=organizations/*/gcpUserAccessBindings/*}"
405      body: "gcp_user_access_binding"
406    };
407    option (google.api.method_signature) = "gcp_user_access_binding,update_mask";
408    option (google.longrunning.operation_info) = {
409      response_type: "GcpUserAccessBinding"
410      metadata_type: "GcpUserAccessBindingOperationMetadata"
411    };
412  }
413
414  // Deletes a [GcpUserAccessBinding]
415  // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding].
416  // Completion of this long-running operation does not necessarily signify that
417  // the binding deletion is deployed onto all affected users, which may take
418  // more time.
419  rpc DeleteGcpUserAccessBinding(DeleteGcpUserAccessBindingRequest) returns (google.longrunning.Operation) {
420    option (google.api.http) = {
421      delete: "/v1/{name=organizations/*/gcpUserAccessBindings/*}"
422    };
423    option (google.api.method_signature) = "name";
424    option (google.longrunning.operation_info) = {
425      response_type: "google.protobuf.Empty"
426      metadata_type: "GcpUserAccessBindingOperationMetadata"
427    };
428  }
429
430  // Sets the IAM policy for the specified Access Context Manager
431  // [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
432  // This method replaces the existing IAM policy on the access policy. The IAM
433  // policy controls the set of users who can perform specific operations on the
434  // Access Context Manager [access
435  // policy][google.identity.accesscontextmanager.v1.AccessPolicy].
436  rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
437    option (google.api.http) = {
438      post: "/v1/{resource=accessPolicies/*}:setIamPolicy"
439      body: "*"
440    };
441  }
442
443  // Gets the IAM policy for the specified Access Context Manager
444  // [access policy][google.identity.accesscontextmanager.v1.AccessPolicy].
445  rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
446    option (google.api.http) = {
447      post: "/v1/{resource=accessPolicies/*}:getIamPolicy"
448      body: "*"
449    };
450  }
451
452  // Returns the IAM permissions that the caller has on the specified Access
453  // Context Manager resource. The resource can be an
454  // [AccessPolicy][google.identity.accesscontextmanager.v1.AccessPolicy],
455  // [AccessLevel][google.identity.accesscontextmanager.v1.AccessLevel], or
456  // [ServicePerimeter][google.identity.accesscontextmanager.v1.ServicePerimeter
457  // ]. This method does not support other resources.
458  rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
459    option (google.api.http) = {
460      post: "/v1/{resource=accessPolicies/*}:testIamPermissions"
461      body: "*"
462      additional_bindings {
463        post: "/v1/{resource=accessPolicies/*/accessLevels/*}:testIamPermissions"
464        body: "*"
465      }
466      additional_bindings {
467        post: "/v1/{resource=accessPolicies/*/servicePerimeters/*}:testIamPermissions"
468        body: "*"
469      }
470    };
471  }
472}
473
474// A request to list all `AccessPolicies` for a container.
475message ListAccessPoliciesRequest {
476  // Required. Resource name for the container to list AccessPolicy instances
477  // from.
478  //
479  // Format:
480  // `organizations/{org_id}`
481  string parent = 1 [
482    (google.api.field_behavior) = REQUIRED,
483    (google.api.resource_reference) = {
484      type: "cloudresourcemanager.googleapis.com/Organization"
485    }
486  ];
487
488  // Number of AccessPolicy instances to include in the list. Default 100.
489  int32 page_size = 2;
490
491  // Next page token for the next batch of AccessPolicy instances. Defaults to
492  // the first page of results.
493  string page_token = 3;
494}
495
496// A response to `ListAccessPoliciesRequest`.
497message ListAccessPoliciesResponse {
498  // List of the AccessPolicy instances.
499  repeated AccessPolicy access_policies = 1;
500
501  // The pagination token to retrieve the next page of results. If the value is
502  // empty, no further results remain.
503  string next_page_token = 2;
504}
505
506// A request to get a particular `AccessPolicy`.
507message GetAccessPolicyRequest {
508  // Required. Resource name for the access policy to get.
509  //
510  // Format `accessPolicies/{policy_id}`
511  string name = 1 [
512    (google.api.field_behavior) = REQUIRED,
513    (google.api.resource_reference) = {
514      type: "accesscontextmanager.googleapis.com/AccessPolicy"
515    }
516  ];
517}
518
519// A request to update an `AccessPolicy`.
520message UpdateAccessPolicyRequest {
521  // Required. The updated AccessPolicy.
522  AccessPolicy policy = 1 [(google.api.field_behavior) = REQUIRED];
523
524  // Required. Mask to control which fields get updated. Must be non-empty.
525  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
526}
527
528// A request to delete an `AccessPolicy`.
529message DeleteAccessPolicyRequest {
530  // Required. Resource name for the access policy to delete.
531  //
532  // Format `accessPolicies/{policy_id}`
533  string name = 1 [
534    (google.api.field_behavior) = REQUIRED,
535    (google.api.resource_reference) = {
536      type: "accesscontextmanager.googleapis.com/AccessPolicy"
537    }
538  ];
539}
540
541// A request to list all `AccessLevels` in an `AccessPolicy`.
542message ListAccessLevelsRequest {
543  // Required. Resource name for the access policy to list [Access Levels]
544  // [google.identity.accesscontextmanager.v1.AccessLevel] from.
545  //
546  // Format:
547  // `accessPolicies/{policy_id}`
548  string parent = 1 [
549    (google.api.field_behavior) = REQUIRED,
550    (google.api.resource_reference) = {
551      child_type: "accesscontextmanager.googleapis.com/AccessLevel"
552    }
553  ];
554
555  // Number of [Access Levels]
556  // [google.identity.accesscontextmanager.v1.AccessLevel] to include in
557  // the list. Default 100.
558  int32 page_size = 2;
559
560  // Next page token for the next batch of [Access Level]
561  // [google.identity.accesscontextmanager.v1.AccessLevel] instances.
562  // Defaults to the first page of results.
563  string page_token = 3;
564
565  // Whether to return `BasicLevels` in the Cloud Common Expression language, as
566  // `CustomLevels`, rather than as `BasicLevels`. Defaults to returning
567  // `AccessLevels` in the format they were defined.
568  LevelFormat access_level_format = 4;
569}
570
571// A response to `ListAccessLevelsRequest`.
572message ListAccessLevelsResponse {
573  // List of the [Access Level]
574  // [google.identity.accesscontextmanager.v1.AccessLevel] instances.
575  repeated AccessLevel access_levels = 1;
576
577  // The pagination token to retrieve the next page of results. If the value is
578  // empty, no further results remain.
579  string next_page_token = 2;
580}
581
582// A request to get a particular `AccessLevel`.
583message GetAccessLevelRequest {
584  // Required. Resource name for the [Access Level]
585  // [google.identity.accesscontextmanager.v1.AccessLevel].
586  //
587  // Format:
588  // `accessPolicies/{policy_id}/accessLevels/{access_level_id}`
589  string name = 1 [
590    (google.api.field_behavior) = REQUIRED,
591    (google.api.resource_reference) = {
592      type: "accesscontextmanager.googleapis.com/AccessLevel"
593    }
594  ];
595
596  // Whether to return `BasicLevels` in the Cloud Common Expression
597  // Language rather than as `BasicLevels`. Defaults to AS_DEFINED, where
598  // [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel]
599  // are returned as `BasicLevels` or `CustomLevels` based on how they were
600  // created. If set to CEL, all [Access Levels]
601  // [google.identity.accesscontextmanager.v1.AccessLevel] are returned as
602  // `CustomLevels`. In the CEL case, `BasicLevels` are translated to equivalent
603  // `CustomLevels`.
604  LevelFormat access_level_format = 2;
605}
606
607// A request to create an `AccessLevel`.
608message CreateAccessLevelRequest {
609  // Required. Resource name for the access policy which owns this [Access
610  // Level] [google.identity.accesscontextmanager.v1.AccessLevel].
611  //
612  // Format: `accessPolicies/{policy_id}`
613  string parent = 1 [
614    (google.api.field_behavior) = REQUIRED,
615    (google.api.resource_reference) = {
616      child_type: "accesscontextmanager.googleapis.com/AccessLevel"
617    }
618  ];
619
620  // Required. The [Access Level]
621  // [google.identity.accesscontextmanager.v1.AccessLevel] to create.
622  // Syntactic correctness of the [Access Level]
623  // [google.identity.accesscontextmanager.v1.AccessLevel] is a
624  // precondition for creation.
625  AccessLevel access_level = 2 [(google.api.field_behavior) = REQUIRED];
626}
627
628// A request to update an `AccessLevel`.
629message UpdateAccessLevelRequest {
630  // Required. The updated [Access Level]
631  // [google.identity.accesscontextmanager.v1.AccessLevel]. Syntactic
632  // correctness of the [Access Level]
633  // [google.identity.accesscontextmanager.v1.AccessLevel] is a
634  // precondition for creation.
635  AccessLevel access_level = 1 [(google.api.field_behavior) = REQUIRED];
636
637  // Required. Mask to control which fields get updated. Must be non-empty.
638  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
639}
640
641// A request to delete an `AccessLevel`.
642message DeleteAccessLevelRequest {
643  // Required. Resource name for the [Access Level]
644  // [google.identity.accesscontextmanager.v1.AccessLevel].
645  //
646  // Format:
647  // `accessPolicies/{policy_id}/accessLevels/{access_level_id}`
648  string name = 1 [
649    (google.api.field_behavior) = REQUIRED,
650    (google.api.resource_reference) = {
651      type: "accesscontextmanager.googleapis.com/AccessLevel"
652    }
653  ];
654}
655
656// A request to replace all existing Access Levels in an Access Policy with
657// the Access Levels provided. This is done atomically.
658message ReplaceAccessLevelsRequest {
659  // Required. Resource name for the access policy which owns these
660  // [Access Levels]
661  // [google.identity.accesscontextmanager.v1.AccessLevel].
662  //
663  // Format: `accessPolicies/{policy_id}`
664  string parent = 1 [
665    (google.api.field_behavior) = REQUIRED,
666    (google.api.resource_reference) = {
667      child_type: "accesscontextmanager.googleapis.com/AccessLevel"
668    }
669  ];
670
671  // Required. The desired [Access Levels]
672  // [google.identity.accesscontextmanager.v1.AccessLevel] that should
673  // replace all existing [Access Levels]
674  // [google.identity.accesscontextmanager.v1.AccessLevel] in the
675  // [Access Policy]
676  // [google.identity.accesscontextmanager.v1.AccessPolicy].
677  repeated AccessLevel access_levels = 2 [(google.api.field_behavior) = REQUIRED];
678
679  // Optional. The etag for the version of the [Access Policy]
680  // [google.identity.accesscontextmanager.v1.AccessPolicy] that this
681  // replace operation is to be performed on. If, at the time of replace, the
682  // etag for the Access Policy stored in Access Context Manager is different
683  // from the specified etag, then the replace operation will not be performed
684  // and the call will fail. This field is not required. If etag is not
685  // provided, the operation will be performed as if a valid etag is provided.
686  string etag = 4;
687}
688
689// A response to ReplaceAccessLevelsRequest. This will be put inside of
690// Operation.response field.
691message ReplaceAccessLevelsResponse {
692  // List of the [Access Level]
693  // [google.identity.accesscontextmanager.v1.AccessLevel] instances.
694  repeated AccessLevel access_levels = 1;
695}
696
697// A request to list all `ServicePerimeters` in an `AccessPolicy`.
698message ListServicePerimetersRequest {
699  // Required. Resource name for the access policy to list [Service Perimeters]
700  // [google.identity.accesscontextmanager.v1.ServicePerimeter] from.
701  //
702  // Format:
703  // `accessPolicies/{policy_id}`
704  string parent = 1 [
705    (google.api.field_behavior) = REQUIRED,
706    (google.api.resource_reference) = {
707      child_type: "accesscontextmanager.googleapis.com/ServicePerimeter"
708    }
709  ];
710
711  // Number of [Service Perimeters]
712  // [google.identity.accesscontextmanager.v1.ServicePerimeter] to include
713  // in the list. Default 100.
714  int32 page_size = 2;
715
716  // Next page token for the next batch of [Service Perimeter]
717  // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances.
718  // Defaults to the first page of results.
719  string page_token = 3;
720}
721
722// A response to `ListServicePerimetersRequest`.
723message ListServicePerimetersResponse {
724  // List of the [Service Perimeter]
725  // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances.
726  repeated ServicePerimeter service_perimeters = 1;
727
728  // The pagination token to retrieve the next page of results. If the value is
729  // empty, no further results remain.
730  string next_page_token = 2;
731}
732
733// A request to get a particular `ServicePerimeter`.
734message GetServicePerimeterRequest {
735  // Required. Resource name for the [Service Perimeter]
736  // [google.identity.accesscontextmanager.v1.ServicePerimeter].
737  //
738  // Format:
739  // `accessPolicies/{policy_id}/servicePerimeters/{service_perimeters_id}`
740  string name = 1 [
741    (google.api.field_behavior) = REQUIRED,
742    (google.api.resource_reference) = {
743      type: "accesscontextmanager.googleapis.com/ServicePerimeter"
744    }
745  ];
746}
747
748// A request to create a `ServicePerimeter`.
749message CreateServicePerimeterRequest {
750  // Required. Resource name for the access policy which owns this [Service
751  // Perimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter].
752  //
753  // Format: `accessPolicies/{policy_id}`
754  string parent = 1 [
755    (google.api.field_behavior) = REQUIRED,
756    (google.api.resource_reference) = {
757      child_type: "accesscontextmanager.googleapis.com/ServicePerimeter"
758    }
759  ];
760
761  // Required. The [Service Perimeter]
762  // [google.identity.accesscontextmanager.v1.ServicePerimeter] to create.
763  // Syntactic correctness of the [Service Perimeter]
764  // [google.identity.accesscontextmanager.v1.ServicePerimeter] is a
765  // precondition for creation.
766  ServicePerimeter service_perimeter = 2 [(google.api.field_behavior) = REQUIRED];
767}
768
769// A request to update a `ServicePerimeter`.
770message UpdateServicePerimeterRequest {
771  // Required. The updated `ServicePerimeter`. Syntactic correctness of the
772  // `ServicePerimeter` is a precondition for creation.
773  ServicePerimeter service_perimeter = 1 [(google.api.field_behavior) = REQUIRED];
774
775  // Required. Mask to control which fields get updated. Must be non-empty.
776  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
777}
778
779// A request to delete a `ServicePerimeter`.
780message DeleteServicePerimeterRequest {
781  // Required. Resource name for the [Service Perimeter]
782  // [google.identity.accesscontextmanager.v1.ServicePerimeter].
783  //
784  // Format:
785  // `accessPolicies/{policy_id}/servicePerimeters/{service_perimeter_id}`
786  string name = 1 [
787    (google.api.field_behavior) = REQUIRED,
788    (google.api.resource_reference) = {
789      type: "accesscontextmanager.googleapis.com/ServicePerimeter"
790    }
791  ];
792}
793
794// A request to replace all existing Service Perimeters in an Access Policy
795// with the Service Perimeters provided. This is done atomically.
796message ReplaceServicePerimetersRequest {
797  // Required. Resource name for the access policy which owns these
798  // [Service Perimeters]
799  // [google.identity.accesscontextmanager.v1.ServicePerimeter].
800  //
801  // Format: `accessPolicies/{policy_id}`
802  string parent = 1 [
803    (google.api.field_behavior) = REQUIRED,
804    (google.api.resource_reference) = {
805      child_type: "accesscontextmanager.googleapis.com/ServicePerimeter"
806    }
807  ];
808
809  // Required. The desired [Service Perimeters]
810  // [google.identity.accesscontextmanager.v1.ServicePerimeter] that should
811  // replace all existing [Service Perimeters]
812  // [google.identity.accesscontextmanager.v1.ServicePerimeter] in the
813  // [Access Policy]
814  // [google.identity.accesscontextmanager.v1.AccessPolicy].
815  repeated ServicePerimeter service_perimeters = 2 [(google.api.field_behavior) = REQUIRED];
816
817  // Optional. The etag for the version of the [Access Policy]
818  // [google.identity.accesscontextmanager.v1.AccessPolicy] that this
819  // replace operation is to be performed on. If, at the time of replace, the
820  // etag for the Access Policy stored in Access Context Manager is different
821  // from the specified etag, then the replace operation will not be performed
822  // and the call will fail. This field is not required. If etag is not
823  // provided, the operation will be performed as if a valid etag is provided.
824  string etag = 3;
825}
826
827// A response to ReplaceServicePerimetersRequest. This will be put inside of
828// Operation.response field.
829message ReplaceServicePerimetersResponse {
830  // List of the [Service Perimeter]
831  // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances.
832  repeated ServicePerimeter service_perimeters = 1;
833}
834
835// A request to commit dry-run specs in all [Service Perimeters]
836// [google.identity.accesscontextmanager.v1.ServicePerimeter] belonging to
837// an [Access Policy][google.identity.accesscontextmanager.v1.AccessPolicy].
838message CommitServicePerimetersRequest {
839  // Required. Resource name for the parent [Access Policy]
840  // [google.identity.accesscontextmanager.v1.AccessPolicy] which owns all
841  // [Service Perimeters]
842  // [google.identity.accesscontextmanager.v1.ServicePerimeter] in scope for
843  // the commit operation.
844  //
845  // Format: `accessPolicies/{policy_id}`
846  string parent = 1 [
847    (google.api.field_behavior) = REQUIRED,
848    (google.api.resource_reference) = {
849      child_type: "accesscontextmanager.googleapis.com/ServicePerimeter"
850    }
851  ];
852
853  // Optional. The etag for the version of the [Access Policy]
854  // [google.identity.accesscontextmanager.v1.AccessPolicy] that this
855  // commit operation is to be performed on. If, at the time of commit, the
856  // etag for the Access Policy stored in Access Context Manager is different
857  // from the specified etag, then the commit operation will not be performed
858  // and the call will fail. This field is not required. If etag is not
859  // provided, the operation will be performed as if a valid etag is provided.
860  string etag = 2;
861}
862
863// A response to CommitServicePerimetersRequest. This will be put inside of
864// Operation.response field.
865message CommitServicePerimetersResponse {
866  // List of all the [Service Perimeter]
867  // [google.identity.accesscontextmanager.v1.ServicePerimeter] instances in
868  // the [Access Policy]
869  // [google.identity.accesscontextmanager.v1.AccessPolicy].
870  repeated ServicePerimeter service_perimeters = 1;
871}
872
873// The format used in an `AccessLevel`.
874enum LevelFormat {
875  // The format was not specified.
876  LEVEL_FORMAT_UNSPECIFIED = 0;
877
878  // Uses the format the resource was defined in. BasicLevels are returned as
879  // BasicLevels, CustomLevels are returned as CustomLevels.
880  AS_DEFINED = 1;
881
882  // Use Cloud Common Expression Language when returning the resource.  Both
883  // BasicLevels and CustomLevels are returned as CustomLevels.
884  CEL = 2;
885}
886
887// Request of [ListGcpUserAccessBindings]
888// [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings].
889message ListGcpUserAccessBindingsRequest {
890  // Required. Example: "organizations/256"
891  string parent = 1 [
892    (google.api.field_behavior) = REQUIRED,
893    (google.api.resource_reference) = {
894      type: "cloudresourcemanager.googleapis.com/Organization"
895    }
896  ];
897
898  // Optional. Maximum number of items to return. The server may return fewer items.
899  // If left blank, the server may return any number of items.
900  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
901
902  // Optional. If left blank, returns the first page. To enumerate all items, use the
903  // [next_page_token]
904  // [google.identity.accesscontextmanager.v1.ListGcpUserAccessBindingsResponse.next_page_token]
905  // from your previous list operation.
906  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
907}
908
909// Response of [ListGcpUserAccessBindings]
910// [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings].
911message ListGcpUserAccessBindingsResponse {
912  // [GcpUserAccessBinding]
913  // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]
914  repeated GcpUserAccessBinding gcp_user_access_bindings = 1;
915
916  // Token to get the next page of items. If blank, there are no more items.
917  string next_page_token = 2;
918}
919
920// Request of [GetGcpUserAccessBinding]
921// [google.identity.accesscontextmanager.v1.AccessContextManager.GetGcpUserAccessBinding].
922message GetGcpUserAccessBindingRequest {
923  // Required. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
924  string name = 1 [
925    (google.api.field_behavior) = REQUIRED,
926    (google.api.resource_reference) = {
927      type: "accesscontextmanager.googleapis.com/GcpUserAccessBinding"
928    }
929  ];
930}
931
932// Request of [CreateGcpUserAccessBinding]
933// [google.identity.accesscontextmanager.v1.AccessContextManager.CreateGcpUserAccessBinding].
934message CreateGcpUserAccessBindingRequest {
935  // Required. Example: "organizations/256"
936  string parent = 1 [
937    (google.api.field_behavior) = REQUIRED,
938    (google.api.resource_reference) = {
939      type: "cloudresourcemanager.googleapis.com/Organization"
940    }
941  ];
942
943  // Required. [GcpUserAccessBinding]
944  // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]
945  GcpUserAccessBinding gcp_user_access_binding = 2 [(google.api.field_behavior) = REQUIRED];
946}
947
948// Request of [UpdateGcpUserAccessBinding]
949// [google.identity.accesscontextmanager.v1.AccessContextManager.UpdateGcpUserAccessBinding].
950message UpdateGcpUserAccessBindingRequest {
951  // Required. [GcpUserAccessBinding]
952  // [google.identity.accesscontextmanager.v1.GcpUserAccessBinding]
953  GcpUserAccessBinding gcp_user_access_binding = 1 [(google.api.field_behavior) = REQUIRED];
954
955  // Required. Only the fields specified in this mask are updated. Because name and
956  // group_key cannot be changed, update_mask is required and must always be:
957  //
958  // update_mask {
959  // paths: "access_levels"
960  // }
961  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
962}
963
964// Request of [DeleteGcpUserAccessBinding]
965// [google.identity.accesscontextmanager.v1.AccessContextManager.DeleteGcpUserAccessBinding].
966message DeleteGcpUserAccessBindingRequest {
967  // Required. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
968  string name = 1 [
969    (google.api.field_behavior) = REQUIRED,
970    (google.api.resource_reference) = {
971      type: "accesscontextmanager.googleapis.com/GcpUserAccessBinding"
972    }
973  ];
974}
975
976// Currently, a completed operation means nothing. In the future, this metadata
977// and a completed operation may indicate that the binding has taken effect and
978// is affecting access decisions for all users.
979message GcpUserAccessBindingOperationMetadata {
980
981}
982
983// Metadata of Access Context Manager's Long Running Operations.
984message AccessContextManagerOperationMetadata {
985
986}
987