| <html><body> |
| <style> |
| |
| body, h1, h2, h3, div, span, p, pre, a { |
| margin: 0; |
| padding: 0; |
| border: 0; |
| font-weight: inherit; |
| font-style: inherit; |
| font-size: 100%; |
| font-family: inherit; |
| vertical-align: baseline; |
| } |
| |
| body { |
| font-size: 13px; |
| padding: 1em; |
| } |
| |
| h1 { |
| font-size: 26px; |
| margin-bottom: 1em; |
| } |
| |
| h2 { |
| font-size: 24px; |
| margin-bottom: 1em; |
| } |
| |
| h3 { |
| font-size: 20px; |
| margin-bottom: 1em; |
| margin-top: 1em; |
| } |
| |
| pre, code { |
| line-height: 1.5; |
| font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| } |
| |
| pre { |
| margin-top: 0.5em; |
| } |
| |
| h1, h2, h3, p { |
| font-family: Arial, sans serif; |
| } |
| |
| h1, h2, h3 { |
| border-bottom: solid #CCC 1px; |
| } |
| |
| .toc_element { |
| margin-top: 0.5em; |
| } |
| |
| .firstline { |
| margin-left: 2 em; |
| } |
| |
| .method { |
| margin-top: 1em; |
| border: solid 1px #CCC; |
| padding: 1em; |
| background: #EEE; |
| } |
| |
| .details { |
| font-weight: bold; |
| font-size: 14px; |
| } |
| |
| </style> |
| |
| <h1><a href="cloudresourcemanager_v1.html">Cloud Resource Manager API</a> . <a href="cloudresourcemanager_v1.folders.html">folders</a></h1> |
| <h2>Instance Methods</h2> |
| <p class="toc_element"> |
| <code><a href="#clearOrgPolicy">clearOrgPolicy(resource, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Clears a `Policy` from a resource.</p> |
| <p class="toc_element"> |
| <code><a href="#getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging</p> |
| <p class="toc_element"> |
| <code><a href="#getOrgPolicy">getOrgPolicy(resource, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets a `Policy` on a resource.</p> |
| <p class="toc_element"> |
| <code><a href="#listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Lists `Constraints` that could be applied on the specified resource.</p> |
| <p class="toc_element"> |
| <code><a href="#listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#listOrgPolicies">listOrgPolicies(resource, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Lists all the `Policies` set for a particular resource.</p> |
| <p class="toc_element"> |
| <code><a href="#listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#setOrgPolicy">setOrgPolicy(resource, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for</p> |
| <h3>Method Details</h3> |
| <div class="method"> |
| <code class="details" id="clearOrgPolicy">clearOrgPolicy(resource, body=None, x__xgafv=None)</code> |
| <pre>Clears a `Policy` from a resource. |
| |
| Args: |
| resource: string, Name of the resource for the `Policy` to clear. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # The request sent to the ClearOrgPolicy method. |
| "constraint": "A String", # Name of the `Constraint` of the `Policy` to clear. |
| "etag": "A String", # The current version, for concurrency control. Not sending an `etag` |
| # will cause the `Policy` to be cleared blindly. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # A generic empty message that you can re-use to avoid defining duplicated |
| # empty messages in your APIs. A typical example is to use it as the request |
| # or the response type of an API method. For instance: |
| # |
| # service Foo { |
| # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); |
| # } |
| # |
| # The JSON representation for `Empty` is empty JSON object `{}`. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body=None, x__xgafv=None)</code> |
| <pre>Gets the effective `Policy` on a resource. This is the result of merging |
| `Policies` in the resource hierarchy. The returned `Policy` will not have |
| an `etag`set because it is a computed `Policy` across multiple resources. |
| Subtrees of Resource Manager resource hierarchy with 'under:' prefix will |
| not be expanded. |
| |
| Args: |
| resource: string, The name of the resource to start computing the effective `Policy`. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # The request sent to the GetEffectiveOrgPolicy method. |
| "constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` |
| # for configurations of Cloud Platform resources. |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` |
| # `constraints/compute.disableSerialPortAccess` with `constraint_default` |
| # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following |
| # behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # A [list of available |
| # constraints](/resource-manager/docs/organization-policy/org-policy-constraints) |
| # is available. |
| # |
| # Immutable after creation. |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # `ListPolicy` can define specific values and subtrees of Cloud Resource |
| # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that |
| # are allowed or denied by setting the `allowed_values` and `denied_values` |
| # fields. This is achieved by using the `under:` and optional `is:` prefixes. |
| # The `under:` prefix is used to denote resource subtree values. |
| # The `is:` prefix is used to denote specific values, and is required only |
| # if the value contains a ":". Values prefixed with "is:" are treated the |
| # same as values with no prefix. |
| # Ancestry subtrees must be in one of the following formats: |
| # - "projects/<project-id>", e.g. "projects/tokyo-rain-123" |
| # - "folders/<folder-id>", e.g. "folders/1234" |
| # - "organizations/<organization-id>", e.g. "organizations/1234" |
| # The `supports_under` field of the associated `Constraint` defines whether |
| # ancestry prefixes can be used. You can set `allowed_values` and |
| # `denied_values` in the same `Policy` if `all_values` is |
| # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all |
| # values. If `all_values` is set to either `ALLOW` or `DENY`, |
| # `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supersedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings for |
| # `projects/bar` parented by `organizations/foo`: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has a `Policy` with values: |
| # {value: "E3" value: "E4" inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| # |
| # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): |
| # Given the following resource hierarchy |
| # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "under:organizations/O1"} |
| # `projects/bar` has a `Policy` with: |
| # {allowed_values: "under:projects/P3"} |
| # {denied_values: "under:folders/F2"} |
| # The accepted values at `organizations/foo` are `organizations/O1`, |
| # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, |
| # `projects/P3`. |
| # The accepted values at `projects/bar` are `organizations/O1`, |
| # `folders/F1`, `projects/P1`. |
| }, |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getOrgPolicy">getOrgPolicy(resource, body=None, x__xgafv=None)</code> |
| <pre>Gets a `Policy` on a resource. |
| |
| If no `Policy` is set on the resource, a `Policy` is returned with default |
| values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The |
| `etag` value can be used with `SetOrgPolicy()` to create or update a |
| `Policy` during read-modify-write. |
| |
| Args: |
| resource: string, Name of the resource the `Policy` is set on. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # The request sent to the GetOrgPolicy method. |
| "constraint": "A String", # Name of the `Constraint` to get the `Policy`. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` |
| # for configurations of Cloud Platform resources. |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` |
| # `constraints/compute.disableSerialPortAccess` with `constraint_default` |
| # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following |
| # behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # A [list of available |
| # constraints](/resource-manager/docs/organization-policy/org-policy-constraints) |
| # is available. |
| # |
| # Immutable after creation. |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # `ListPolicy` can define specific values and subtrees of Cloud Resource |
| # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that |
| # are allowed or denied by setting the `allowed_values` and `denied_values` |
| # fields. This is achieved by using the `under:` and optional `is:` prefixes. |
| # The `under:` prefix is used to denote resource subtree values. |
| # The `is:` prefix is used to denote specific values, and is required only |
| # if the value contains a ":". Values prefixed with "is:" are treated the |
| # same as values with no prefix. |
| # Ancestry subtrees must be in one of the following formats: |
| # - "projects/<project-id>", e.g. "projects/tokyo-rain-123" |
| # - "folders/<folder-id>", e.g. "folders/1234" |
| # - "organizations/<organization-id>", e.g. "organizations/1234" |
| # The `supports_under` field of the associated `Constraint` defines whether |
| # ancestry prefixes can be used. You can set `allowed_values` and |
| # `denied_values` in the same `Policy` if `all_values` is |
| # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all |
| # values. If `all_values` is set to either `ALLOW` or `DENY`, |
| # `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supersedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings for |
| # `projects/bar` parented by `organizations/foo`: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has a `Policy` with values: |
| # {value: "E3" value: "E4" inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| # |
| # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): |
| # Given the following resource hierarchy |
| # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "under:organizations/O1"} |
| # `projects/bar` has a `Policy` with: |
| # {allowed_values: "under:projects/P3"} |
| # {denied_values: "under:folders/F2"} |
| # The accepted values at `organizations/foo` are `organizations/O1`, |
| # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, |
| # `projects/P3`. |
| # The accepted values at `projects/bar` are `organizations/O1`, |
| # `folders/F1`, `projects/P1`. |
| }, |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body=None, x__xgafv=None)</code> |
| <pre>Lists `Constraints` that could be applied on the specified resource. |
| |
| Args: |
| resource: string, Name of the resource to list `Constraints` for. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # The request sent to the `ListAvailableOrgPolicyConstraints` method on the |
| # project, folder, or organization. |
| "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported |
| # and will be ignored. The server may at any point start using this field. |
| "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will |
| # be ignored. The server may at any point start using this field to limit |
| # page size. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # The response returned from the `ListAvailableOrgPolicyConstraints` method. |
| # Returns all `Constraints` that could be set at this level of the hierarchy |
| # (contrast with the response from `ListPolicies`, which returns all policies |
| # which are set). |
| "constraints": [ # The collection of constraints that are settable on the request resource. |
| { # A `Constraint` describes a way in which a resource's configuration can be |
| # restricted. For example, it controls which cloud services can be activated |
| # across an organization, or whether a Compute Engine instance can have |
| # serial port connections established. `Constraints` can be configured by the |
| # organization's policy administrator to fit the needs of the organzation by |
| # setting Policies for `Constraints` at different locations in the |
| # organization's resource hierarchy. Policies are inherited down the resource |
| # hierarchy from higher levels, but can also be overridden. For details about |
| # the inheritance rules please read about |
| # [Policies](/resource-manager/reference/rest/v1/Policy). |
| # |
| # `Constraints` have a default behavior determined by the `constraint_default` |
| # field, which is the enforcement behavior that is used in the absence of a |
| # `Policy` being defined or inherited for the resource in question. |
| "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint. |
| # |
| # For example a constraint `constraints/compute.disableSerialPortAccess`. |
| # If it is enforced on a VM instance, serial port connections will not be |
| # opened to that instance. |
| }, |
| "name": "A String", # Immutable value, required to globally be unique. For example, |
| # `constraints/serviceuser.services` |
| "displayName": "A String", # The human readable name. |
| # |
| # Mutable. |
| "version": 42, # Version of the `Constraint`. Default version is 0; |
| "listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint. |
| # configured by an Organization's policy administrator with a `Policy`. |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Constraint`. |
| "supportsUnder": True or False, # Indicates whether subtrees of Cloud Resource Manager resource hierarchy |
| # can be used in `Policy.allowed_values` and `Policy.denied_values`. For |
| # example, `"under:folders/123"` would match any resource under the |
| # 'folders/123' folder. |
| }, |
| "constraintDefault": "A String", # The evaluation behavior of this constraint in the absence of 'Policy'. |
| "description": "A String", # Detailed description of what this `Constraint` controls as well as how and |
| # where it is enforced. |
| # |
| # Mutable. |
| }, |
| ], |
| "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listOrgPolicies">listOrgPolicies(resource, body=None, x__xgafv=None)</code> |
| <pre>Lists all the `Policies` set for a particular resource. |
| |
| Args: |
| resource: string, Name of the resource to list Policies for. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # The request sent to the ListOrgPolicies method. |
| "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will |
| # be ignored. The server may at any point start using this field to limit |
| # page size. |
| "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported |
| # and will be ignored. The server may at any point start using this field. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # The response returned from the `ListOrgPolicies` method. It will be empty |
| # if no `Policies` are set on the resource. |
| "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but |
| # the server may at any point start supplying a valid token. |
| "policies": [ # The `Policies` that are set on the resource. It will be empty if no |
| # `Policies` are set. |
| { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` |
| # for configurations of Cloud Platform resources. |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` |
| # `constraints/compute.disableSerialPortAccess` with `constraint_default` |
| # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following |
| # behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # A [list of available |
| # constraints](/resource-manager/docs/organization-policy/org-policy-constraints) |
| # is available. |
| # |
| # Immutable after creation. |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # `ListPolicy` can define specific values and subtrees of Cloud Resource |
| # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that |
| # are allowed or denied by setting the `allowed_values` and `denied_values` |
| # fields. This is achieved by using the `under:` and optional `is:` prefixes. |
| # The `under:` prefix is used to denote resource subtree values. |
| # The `is:` prefix is used to denote specific values, and is required only |
| # if the value contains a ":". Values prefixed with "is:" are treated the |
| # same as values with no prefix. |
| # Ancestry subtrees must be in one of the following formats: |
| # - "projects/<project-id>", e.g. "projects/tokyo-rain-123" |
| # - "folders/<folder-id>", e.g. "folders/1234" |
| # - "organizations/<organization-id>", e.g. "organizations/1234" |
| # The `supports_under` field of the associated `Constraint` defines whether |
| # ancestry prefixes can be used. You can set `allowed_values` and |
| # `denied_values` in the same `Policy` if `all_values` is |
| # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all |
| # values. If `all_values` is set to either `ALLOW` or `DENY`, |
| # `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supersedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings for |
| # `projects/bar` parented by `organizations/foo`: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has a `Policy` with values: |
| # {value: "E3" value: "E4" inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| # |
| # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): |
| # Given the following resource hierarchy |
| # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "under:organizations/O1"} |
| # `projects/bar` has a `Policy` with: |
| # {allowed_values: "under:projects/P3"} |
| # {denied_values: "under:folders/F2"} |
| # The accepted values at `organizations/foo` are `organizations/O1`, |
| # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, |
| # `projects/P3`. |
| # The accepted values at `projects/bar` are `organizations/O1`, |
| # `folders/F1`, `projects/P1`. |
| }, |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="setOrgPolicy">setOrgPolicy(resource, body=None, x__xgafv=None)</code> |
| <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for |
| that `Constraint` on the resource if one does not exist. |
| |
| Not supplying an `etag` on the request `Policy` results in an unconditional |
| write of the `Policy`. |
| |
| Args: |
| resource: string, Resource name of the resource to attach the `Policy`. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # The request sent to the SetOrgPolicyRequest method. |
| "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource. |
| # for configurations of Cloud Platform resources. |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` |
| # `constraints/compute.disableSerialPortAccess` with `constraint_default` |
| # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following |
| # behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # A [list of available |
| # constraints](/resource-manager/docs/organization-policy/org-policy-constraints) |
| # is available. |
| # |
| # Immutable after creation. |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # `ListPolicy` can define specific values and subtrees of Cloud Resource |
| # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that |
| # are allowed or denied by setting the `allowed_values` and `denied_values` |
| # fields. This is achieved by using the `under:` and optional `is:` prefixes. |
| # The `under:` prefix is used to denote resource subtree values. |
| # The `is:` prefix is used to denote specific values, and is required only |
| # if the value contains a ":". Values prefixed with "is:" are treated the |
| # same as values with no prefix. |
| # Ancestry subtrees must be in one of the following formats: |
| # - "projects/<project-id>", e.g. "projects/tokyo-rain-123" |
| # - "folders/<folder-id>", e.g. "folders/1234" |
| # - "organizations/<organization-id>", e.g. "organizations/1234" |
| # The `supports_under` field of the associated `Constraint` defines whether |
| # ancestry prefixes can be used. You can set `allowed_values` and |
| # `denied_values` in the same `Policy` if `all_values` is |
| # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all |
| # values. If `all_values` is set to either `ALLOW` or `DENY`, |
| # `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supersedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings for |
| # `projects/bar` parented by `organizations/foo`: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has a `Policy` with values: |
| # {value: "E3" value: "E4" inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| # |
| # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): |
| # Given the following resource hierarchy |
| # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "under:organizations/O1"} |
| # `projects/bar` has a `Policy` with: |
| # {allowed_values: "under:projects/P3"} |
| # {denied_values: "under:folders/F2"} |
| # The accepted values at `organizations/foo` are `organizations/O1`, |
| # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, |
| # `projects/P3`. |
| # The accepted values at `projects/bar` are `organizations/O1`, |
| # `folders/F1`, `projects/P1`. |
| }, |
| }, |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` |
| # for configurations of Cloud Platform resources. |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` |
| # `constraints/compute.disableSerialPortAccess` with `constraint_default` |
| # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following |
| # behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # A [list of available |
| # constraints](/resource-manager/docs/organization-policy/org-policy-constraints) |
| # is available. |
| # |
| # Immutable after creation. |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # `ListPolicy` can define specific values and subtrees of Cloud Resource |
| # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that |
| # are allowed or denied by setting the `allowed_values` and `denied_values` |
| # fields. This is achieved by using the `under:` and optional `is:` prefixes. |
| # The `under:` prefix is used to denote resource subtree values. |
| # The `is:` prefix is used to denote specific values, and is required only |
| # if the value contains a ":". Values prefixed with "is:" are treated the |
| # same as values with no prefix. |
| # Ancestry subtrees must be in one of the following formats: |
| # - "projects/<project-id>", e.g. "projects/tokyo-rain-123" |
| # - "folders/<folder-id>", e.g. "folders/1234" |
| # - "organizations/<organization-id>", e.g. "organizations/1234" |
| # The `supports_under` field of the associated `Constraint` defines whether |
| # ancestry prefixes can be used. You can set `allowed_values` and |
| # `denied_values` in the same `Policy` if `all_values` is |
| # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all |
| # values. If `all_values` is set to either `ALLOW` or `DENY`, |
| # `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supersedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings for |
| # `projects/bar` parented by `organizations/foo`: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has a `Policy` with values: |
| # {value: "E3" value: "E4" inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values:"E2"} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| # |
| # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): |
| # Given the following resource hierarchy |
| # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "under:organizations/O1"} |
| # `projects/bar` has a `Policy` with: |
| # {allowed_values: "under:projects/P3"} |
| # {denied_values: "under:folders/F2"} |
| # The accepted values at `organizations/foo` are `organizations/O1`, |
| # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, |
| # `projects/P3`. |
| # The accepted values at `projects/bar` are `organizations/O1`, |
| # `folders/F1`, `projects/P1`. |
| }, |
| }</pre> |
| </div> |
| |
| </body></html> |
