Skip to main content

browser_dlp_rules_iam_policies

Creates, updates, deletes, gets or lists a browser_dlp_rules_iam_policies resource.

Overview

Namebrowser_dlp_rules_iam_policies
TypeResource
Idgoogle.beyondcorp.browser_dlp_rules_iam_policies

Fields

NameDatatypeDescription
conditionobjectRepresents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
membersarraySpecifies the principals requesting access for a Google Cloud resource. members can have the following values: allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Does not include identities that come from external identity providers (IdPs) through identity federation. user:{emailid}: An email address that represents a specific Google account. For example, alice@example.com . serviceAccount:{emailid}: An email address that represents a Google service account. For example, my-other-app@appspot.gserviceaccount.com. serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]: An identifier for a Kubernetes service account. For example, my-project.svc.id.goog[my-namespace/my-kubernetes-sa]. group:{emailid}: An email address that represents a Google group. For example, admins@example.com. domain:{domain}: The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com. principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}: A single identity in a workforce identity pool. principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}: All workforce identities in a group. principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}: All workforce identities with a specific attribute value. `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/: All identities in a workforce identity pool. * principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}: A single identity in a workload identity pool. * principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}: A workload identity pool group. * principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}: All identities in a workload identity pool with a certain attribute. * principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/`: All identities in a workload identity pool. deleted:user:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a user that has been recently deleted. For example, alice@example.com?uid=123456789012345678901. If the user is recovered, this value reverts to user:{emailid} and the recovered user retains the role in the binding. deleted:serviceAccount:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901. If the service account is undeleted, this value reverts to serviceAccount:{emailid} and the undeleted service account retains the role in the binding. deleted:group:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, admins@example.com?uid=123456789012345678901. If the group is recovered, this value reverts to group:{emailid} and the recovered group retains the role in the binding. * deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}: Deleted single identity in a workforce identity pool. For example, deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value.
rolestringRole that is assigned to the list of members, or principals. For example, roles/viewer, roles/editor, or roles/owner. For an overview of the IAM roles and permissions, see the IAM documentation. For a list of the available pre-defined roles, see here.

Methods

NameAccessible byRequired ParamsDescription
organizations_locations_global_partner_tenants_browser_dlp_rules_get_iam_policySELECTbrowserDlpRulesId, organizationsId, partnerTenantsIdGets the access control policy for a resource. Returns an empty policy if the resource exists and does not have a policy set.
organizations_locations_global_partner_tenants_browser_dlp_rules_set_iam_policyREPLACEbrowserDlpRulesId, organizationsId, partnerTenantsIdSets the access control policy on the specified resource. Replaces any existing policy. Can return NOT_FOUND, INVALID_ARGUMENT, and PERMISSION_DENIED errors.
organizations_locations_global_partner_tenants_browser_dlp_rules_test_iam_permissionsEXECbrowserDlpRulesId, organizationsId, partnerTenantsIdReturns permissions that a caller has on the specified resource. If the resource does not exist, this will return an empty set of permissions, not a NOT_FOUND error. Note: This operation is designed to be used for building permission-aware UIs and command-line tools, not for authorization checking. This operation may "fail open" without warning.

SELECT examples

Gets the access control policy for a resource. Returns an empty policy if the resource exists and does not have a policy set.

SELECT
condition,
members,
role
FROM google.beyondcorp.browser_dlp_rules_iam_policies
WHERE browserDlpRulesId = '{{ browserDlpRulesId }}'
AND organizationsId = '{{ organizationsId }}'
AND partnerTenantsId = '{{ partnerTenantsId }}';

REPLACE example

Replaces all fields in the specified browser_dlp_rules_iam_policies resource.

/*+ update */
REPLACE google.beyondcorp.browser_dlp_rules_iam_policies
SET
policy = '{{ policy }}',
updateMask = '{{ updateMask }}'
WHERE
browserDlpRulesId = '{{ browserDlpRulesId }}'
AND organizationsId = '{{ organizationsId }}'
AND partnerTenantsId = '{{ partnerTenantsId }}';