1// Copyright 2022 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.identity.accesscontextmanager.v1; 18 19import "google/api/resource.proto"; 20import "google/protobuf/timestamp.proto"; 21 22option csharp_namespace = "Google.Identity.AccessContextManager.V1"; 23option go_package = "cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb"; 24option java_multiple_files = true; 25option java_outer_classname = "PolicyProto"; 26option java_package = "com.google.identity.accesscontextmanager.v1"; 27option objc_class_prefix = "GACM"; 28option php_namespace = "Google\\Identity\\AccessContextManager\\V1"; 29option ruby_package = "Google::Identity::AccessContextManager::V1"; 30 31// `AccessPolicy` is a container for `AccessLevels` (which define the necessary 32// attributes to use Google Cloud services) and `ServicePerimeters` (which 33// define regions of services able to freely pass data within a perimeter). An 34// access policy is globally visible within an organization, and the 35// restrictions it specifies apply to all projects within an organization. 36message AccessPolicy { 37 option (google.api.resource) = { 38 type: "accesscontextmanager.googleapis.com/AccessPolicy" 39 pattern: "accessPolicies/{access_policy}" 40 }; 41 42 // Output only. Resource name of the `AccessPolicy`. Format: 43 // `accessPolicies/{access_policy}` 44 string name = 1; 45 46 // Required. The parent of this `AccessPolicy` in the Cloud Resource 47 // Hierarchy. Currently immutable once created. Format: 48 // `organizations/{organization_id}` 49 string parent = 2; 50 51 // Required. Human readable title. Does not affect behavior. 52 string title = 3; 53 54 // The scopes of a policy define which resources an ACM policy can restrict, 55 // and where ACM resources can be referenced. 56 // For example, a policy with scopes=["folders/123"] has the following 57 // behavior: 58 // - vpcsc perimeters can only restrict projects within folders/123 59 // - access levels can only be referenced by resources within folders/123. 60 // If empty, there are no limitations on which resources can be restricted by 61 // an ACM policy, and there are no limitations on where ACM resources can be 62 // referenced. 63 // Only one policy can include a given scope (attempting to create a second 64 // policy which includes "folders/123" will result in an error). 65 // Currently, scopes cannot be modified after a policy is created. 66 // Currently, policies can only have a single scope. 67 // Format: list of `folders/{folder_number}` or `projects/{project_number}` 68 repeated string scopes = 7; 69 70 // Output only. Time the `AccessPolicy` was created in UTC. 71 google.protobuf.Timestamp create_time = 4; 72 73 // Output only. Time the `AccessPolicy` was updated in UTC. 74 google.protobuf.Timestamp update_time = 5; 75 76 // Output only. An opaque identifier for the current version of the 77 // `AccessPolicy`. This will always be a strongly validated etag, meaning that 78 // two Access Polices will be identical if and only if their etags are 79 // identical. Clients should not expect this to be in any specific format. 80 string etag = 6; 81} 82