Skip to main content

access_approval_settings

Creates, updates, deletes, gets or lists a access_approval_settings resource.

Overview

Nameaccess_approval_settings
TypeResource
Idgoogle.accessapproval.access_approval_settings

Fields

NameDatatypeDescription
namestringThe resource name of the settings. Format is one of: "projects/{project}/accessApprovalSettings" "folders/{folder}/accessApprovalSettings" * "organizations/{organization}/accessApprovalSettings"
activeKeyVersionstringThe asymmetric crypto key version to use for signing approval requests. Empty active_key_version indicates that a Google-managed key should be used for signing. This property will be ignored if set by an ancestor of this resource, and new non-empty values may not be set.
ancestorHasActiveKeyVersionbooleanOutput only. This field is read only (not settable via UpdateAccessApprovalSettings method). If the field is true, that indicates that an ancestor of this Project or Folder has set active_key_version (this field will always be unset for the organization since organizations do not have ancestors).
enrolledAncestorbooleanOutput only. This field is read only (not settable via UpdateAccessApprovalSettings method). If the field is true, that indicates that at least one service is enrolled for Access Approval in one or more ancestors of the Project or Folder (this field will always be unset for the organization since organizations do not have ancestors).
enrolledServicesarrayA list of Google Cloud Services for which the given resource has Access Approval enrolled. Access requests for the resource given by name against any of these services contained here will be required to have explicit approval. If name refers to an organization, enrollment can be done for individual services. If name refers to a folder or project, enrollment can only be done on an all or nothing basis. If a cloud_product is repeated in this list, the first entry will be honored and all following entries will be discarded. A maximum of 10 enrolled services will be enforced, to be expanded as the set of supported services is expanded.
invalidKeyVersionbooleanOutput only. This field is read only (not settable via UpdateAccessApprovalSettings method). If the field is true, that indicates that there is some configuration issue with the active_key_version configured at this level in the resource hierarchy (e.g. it doesn't exist or the Access Approval service account doesn't have the correct permissions on it, etc.) This key version is not necessarily the effective key version at this level, as key versions are inherited top-down.
notificationEmailsarrayA list of email addresses to which notifications relating to approval requests should be sent. Notifications relating to a resource will be sent to all emails in the settings of ancestor resources of that resource. A maximum of 50 email addresses are allowed.
notificationPubsubTopicstringOptional. A pubsub topic to which notifications relating to approval requests should be sent.
preferNoBroadApprovalRequestsbooleanThis preference is communicated to Google personnel when sending an approval request but can be overridden if necessary.
preferredRequestExpirationDaysintegerThis preference is shared with Google personnel, but can be overridden if said personnel deems necessary. The approver ultimately can set the expiration at approval time.
requestScopeMaxWidthPreferencestringOptional. A setting to indicate the maximum width of an Access Approval request.
requireCustomerVisibleJustificationbooleanOptional. A setting to require approval request justifications to be customer visible.

Methods

NameAccessible byRequired ParamsDescription
folders_get_access_approval_settingsSELECTfoldersIdGets the settings associated with a project, folder, or organization.
organizations_get_access_approval_settingsSELECTorganizationsIdGets the settings associated with a project, folder, or organization.
projects_get_access_approval_settingsSELECTprojectsIdGets the settings associated with a project, folder, or organization.
folders_delete_access_approval_settingsDELETEfoldersIdDeletes the settings associated with a project, folder, or organization. This will have the effect of disabling Access Approval for the project, folder, or organization, but only if all ancestors also have Access Approval disabled. If Access Approval is enabled at a higher level of the hierarchy, then Access Approval will still be enabled at this level as the settings are inherited.
organizations_delete_access_approval_settingsDELETEorganizationsIdDeletes the settings associated with a project, folder, or organization. This will have the effect of disabling Access Approval for the project, folder, or organization, but only if all ancestors also have Access Approval disabled. If Access Approval is enabled at a higher level of the hierarchy, then Access Approval will still be enabled at this level as the settings are inherited.
projects_delete_access_approval_settingsDELETEprojectsIdDeletes the settings associated with a project, folder, or organization. This will have the effect of disabling Access Approval for the project, folder, or organization, but only if all ancestors also have Access Approval disabled. If Access Approval is enabled at a higher level of the hierarchy, then Access Approval will still be enabled at this level as the settings are inherited.
folders_update_access_approval_settingsUPDATEfoldersIdUpdates the settings associated with a project, folder, or organization. Settings to update are determined by the value of field_mask.
organizations_update_access_approval_settingsUPDATEorganizationsIdUpdates the settings associated with a project, folder, or organization. Settings to update are determined by the value of field_mask.
projects_update_access_approval_settingsUPDATEprojectsIdUpdates the settings associated with a project, folder, or organization. Settings to update are determined by the value of field_mask.

SELECT examples

Gets the settings associated with a project, folder, or organization.

SELECT
name,
activeKeyVersion,
ancestorHasActiveKeyVersion,
enrolledAncestor,
enrolledServices,
invalidKeyVersion,
notificationEmails,
notificationPubsubTopic,
preferNoBroadApprovalRequests,
preferredRequestExpirationDays,
requestScopeMaxWidthPreference,
requireCustomerVisibleJustification
FROM google.accessapproval.access_approval_settings
WHERE foldersId = '{{ foldersId }}';

UPDATE example

Updates a access_approval_settings resource.

/*+ update */
UPDATE google.accessapproval.access_approval_settings
SET
name = '{{ name }}',
notificationEmails = '{{ notificationEmails }}',
enrolledServices = '{{ enrolledServices }}',
activeKeyVersion = '{{ activeKeyVersion }}',
preferredRequestExpirationDays = '{{ preferredRequestExpirationDays }}',
preferNoBroadApprovalRequests = true|false,
notificationPubsubTopic = '{{ notificationPubsubTopic }}',
requireCustomerVisibleJustification = true|false,
requestScopeMaxWidthPreference = '{{ requestScopeMaxWidthPreference }}'
WHERE
foldersId = '{{ foldersId }}';

DELETE example

Deletes the specified access_approval_settings resource.

/*+ delete */
DELETE FROM google.accessapproval.access_approval_settings
WHERE foldersId = '{{ foldersId }}';