1 <html><body> 2 <style> 3 4 body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13 } 14 15 body { 16 font-size: 13px; 17 padding: 1em; 18 } 19 20 h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23 } 24 25 h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28 } 29 30 h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34 } 35 36 pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39 } 40 41 pre { 42 margin-top: 0.5em; 43 } 44 45 h1, h2, h3, p { 46 font-family: Arial, sans serif; 47 } 48 49 h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51 } 52 53 .toc_element { 54 margin-top: 0.5em; 55 } 56 57 .firstline { 58 margin-left: 2 em; 59 } 60 61 .method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66 } 67 68 .details { 69 font-weight: bold; 70 font-size: 14px; 71 } 72 73 </style> 74 75 <h1><a href="cloudresourcemanager_v1.html">Google Cloud Resource Manager API</a> . <a href="cloudresourcemanager_v1.folders.html">folders</a></h1> 76 <h2>Instance Methods</h2> 77 <p class="toc_element"> 78 <code><a href="#clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 79 <p class="firstline">Clears a `Policy` from a resource.</p> 80 <p class="toc_element"> 81 <code><a href="#getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 82 <p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging</p> 83 <p class="toc_element"> 84 <code><a href="#getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 85 <p class="firstline">Gets a `Policy` on a resource.</p> 86 <p class="toc_element"> 87 <code><a href="#listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</a></code></p> 88 <p class="firstline">Lists `Constraints` that could be applied on the specified resource.</p> 89 <p class="toc_element"> 90 <code><a href="#listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</a></code></p> 91 <p class="firstline">Retrieves the next page of results.</p> 92 <p class="toc_element"> 93 <code><a href="#listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</a></code></p> 94 <p class="firstline">Lists all the `Policies` set for a particular resource.</p> 95 <p class="toc_element"> 96 <code><a href="#listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</a></code></p> 97 <p class="firstline">Retrieves the next page of results.</p> 98 <p class="toc_element"> 99 <code><a href="#setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 100 <p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for</p> 101 <h3>Method Details</h3> 102 <div class="method"> 103 <code class="details" id="clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</code> 104 <pre>Clears a `Policy` from a resource. 105 106 Args: 107 resource: string, Name of the resource for the `Policy` to clear. (required) 108 body: object, The request body. (required) 109 The object takes the form of: 110 111 { # The request sent to the ClearOrgPolicy method. 112 "etag": "A String", # The current version, for concurrency control. Not sending an `etag` 113 # will cause the `Policy` to be cleared blindly. 114 "constraint": "A String", # Name of the `Constraint` of the `Policy` to clear. 115 } 116 117 x__xgafv: string, V1 error format. 118 Allowed values 119 1 - v1 error format 120 2 - v2 error format 121 122 Returns: 123 An object of the form: 124 125 { # A generic empty message that you can re-use to avoid defining duplicated 126 # empty messages in your APIs. A typical example is to use it as the request 127 # or the response type of an API method. For instance: 128 # 129 # service Foo { 130 # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); 131 # } 132 # 133 # The JSON representation for `Empty` is empty JSON object `{}`. 134 }</pre> 135 </div> 136 137 <div class="method"> 138 <code class="details" id="getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</code> 139 <pre>Gets the effective `Policy` on a resource. This is the result of merging 140 `Policies` in the resource hierarchy. The returned `Policy` will not have 141 an `etag`set because it is a computed `Policy` across multiple resources. 142 143 Args: 144 resource: string, The name of the resource to start computing the effective `Policy`. (required) 145 body: object, The request body. (required) 146 The object takes the form of: 147 148 { # The request sent to the GetEffectiveOrgPolicy method. 149 "constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`. 150 } 151 152 x__xgafv: string, V1 error format. 153 Allowed values 154 1 - v1 error format 155 2 - v2 error format 156 157 Returns: 158 An object of the form: 159 160 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 161 # for configurations of Cloud Platform resources. 162 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 163 # server, not specified by the caller, and represents the last time a call to 164 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 165 # be ignored. 166 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 167 # `constraints/serviceuser.services`. 168 # 169 # Immutable after creation. 170 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 171 # `Constraint` type. 172 # `constraint_default` enforcement behavior of the specific `Constraint` at 173 # this resource. 174 # 175 # Suppose that `constraint_default` is set to `ALLOW` for the 176 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 177 # foo.com sets a `Policy` at their Organization resource node that restricts 178 # the allowed service activations to deny all service activations. They 179 # could then set a `Policy` with the `policy_type` `restore_default` on 180 # several experimental projects, restoring the `constraint_default` 181 # enforcement of the `Constraint` for only those projects, allowing those 182 # projects to have all services activated. 183 }, 184 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 185 # resource. 186 # 187 # A `ListPolicy` can define specific values that are allowed or denied by 188 # setting either the `allowed_values` or `denied_values` fields. It can also 189 # be used to allow or deny all values, by setting the `all_values` field. If 190 # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` 191 # or `denied_values` must be set (attempting to set both or neither will 192 # result in a failed request). If `all_values` is set to either `ALLOW` or 193 # `DENY`, `allowed_values` and `denied_values` must be unset. 194 "allValues": "A String", # The policy all_values state. 195 "allowedValues": [ # List of values allowed at this resource. an only be set if no values are 196 # set for `denied_values` and `all_values` is set to 197 # `ALL_VALUES_UNSPECIFIED`. 198 "A String", 199 ], 200 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 201 # 202 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 203 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 204 # set to `true`, then the values from the effective `Policy` of the parent 205 # resource are inherited, meaning the values set in this `Policy` are 206 # added to the values inherited up the hierarchy. 207 # 208 # Setting `Policy` hierarchies that inherit both allowed values and denied 209 # values isn't recommended in most circumstances to keep the configuration 210 # simple and understandable. However, it is possible to set a `Policy` with 211 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 212 # In this case, the values that are allowed must be in `allowed_values` and 213 # not present in `denied_values`. 214 # 215 # For example, suppose you have a `Constraint` 216 # `constraints/serviceuser.services`, which has a `constraint_type` of 217 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 218 # Suppose that at the Organization level, a `Policy` is applied that 219 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 220 # `Policy` is applied to a project below the Organization that has 221 # `inherit_from_parent` set to `false` and field all_values set to DENY, 222 # then an attempt to activate any API will be denied. 223 # 224 # The following examples demonstrate different possible layerings: 225 # 226 # Example 1 (no inherited values): 227 # `organizations/foo` has a `Policy` with values: 228 # {allowed_values: E1 allowed_values:E2} 229 # ``projects/bar`` has `inherit_from_parent` `false` and values: 230 # {allowed_values: "E3" allowed_values: "E4"} 231 # The accepted values at `organizations/foo` are `E1`, `E2`. 232 # The accepted values at `projects/bar` are `E3`, and `E4`. 233 # 234 # Example 2 (inherited values): 235 # `organizations/foo` has a `Policy` with values: 236 # {allowed_values: E1 allowed_values:E2} 237 # `projects/bar` has a `Policy` with values: 238 # {value: E3 value: E4 inherit_from_parent: true} 239 # The accepted values at `organizations/foo` are `E1`, `E2`. 240 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 241 # 242 # Example 3 (inheriting both allowed and denied values): 243 # `organizations/foo` has a `Policy` with values: 244 # {allowed_values: "E1" allowed_values: "E2"} 245 # `projects/bar` has a `Policy` with: 246 # {denied_values: "E1"} 247 # The accepted values at `organizations/foo` are `E1`, `E2`. 248 # The value accepted at `projects/bar` is `E2`. 249 # 250 # Example 4 (RestoreDefault): 251 # `organizations/foo` has a `Policy` with values: 252 # {allowed_values: E1 allowed_values:E2} 253 # `projects/bar` has a `Policy` with values: 254 # {RestoreDefault: {}} 255 # The accepted values at `organizations/foo` are `E1`, `E2`. 256 # The accepted values at `projects/bar` are either all or none depending on 257 # the value of `constraint_default` (if `ALLOW`, all; if 258 # `DENY`, none). 259 # 260 # Example 5 (no policy inherits parent policy): 261 # `organizations/foo` has no `Policy` set. 262 # `projects/bar` has no `Policy` set. 263 # The accepted values at both levels are either all or none depending on 264 # the value of `constraint_default` (if `ALLOW`, all; if 265 # `DENY`, none). 266 # 267 # Example 6 (ListConstraint allowing all): 268 # `organizations/foo` has a `Policy` with values: 269 # {allowed_values: E1 allowed_values: E2} 270 # `projects/bar` has a `Policy` with: 271 # {all: ALLOW} 272 # The accepted values at `organizations/foo` are `E1`, E2`. 273 # Any value is accepted at `projects/bar`. 274 # 275 # Example 7 (ListConstraint allowing none): 276 # `organizations/foo` has a `Policy` with values: 277 # {allowed_values: E1 allowed_values: E2} 278 # `projects/bar` has a `Policy` with: 279 # {all: DENY} 280 # The accepted values at `organizations/foo` are `E1`, E2`. 281 # No value is accepted at `projects/bar`. 282 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 283 # that matches the value specified in this `Policy`. If `suggested_value` 284 # is not set, it will inherit the value specified higher in the hierarchy, 285 # unless `inherit_from_parent` is `false`. 286 "deniedValues": [ # List of values denied at this resource. Can only be set if no values are 287 # set for `allowed_values` and `all_values` is set to 288 # `ALL_VALUES_UNSPECIFIED`. 289 "A String", 290 ], 291 }, 292 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 293 # resource. 294 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 295 # configuration is acceptable. 296 # 297 # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` 298 # with `constraint_default` set to `ALLOW`. A `Policy` for that 299 # `Constraint` exhibits the following behavior: 300 # - If the `Policy` at this resource has enforced set to `false`, serial 301 # port connection attempts will be allowed. 302 # - If the `Policy` at this resource has enforced set to `true`, serial 303 # port connection attempts will be refused. 304 # - If the `Policy` at this resource is `RestoreDefault`, serial port 305 # connection attempts will be allowed. 306 # - If no `Policy` is set at this resource or anywhere higher in the 307 # resource hierarchy, serial port connection attempts will be allowed. 308 # - If no `Policy` is set at this resource, but one exists higher in the 309 # resource hierarchy, the behavior is as if the`Policy` were set at 310 # this resource. 311 # 312 # The following examples demonstrate the different possible layerings: 313 # 314 # Example 1 (nearest `Constraint` wins): 315 # `organizations/foo` has a `Policy` with: 316 # {enforced: false} 317 # `projects/bar` has no `Policy` set. 318 # The constraint at `projects/bar` and `organizations/foo` will not be 319 # enforced. 320 # 321 # Example 2 (enforcement gets replaced): 322 # `organizations/foo` has a `Policy` with: 323 # {enforced: false} 324 # `projects/bar` has a `Policy` with: 325 # {enforced: true} 326 # The constraint at `organizations/foo` is not enforced. 327 # The constraint at `projects/bar` is enforced. 328 # 329 # Example 3 (RestoreDefault): 330 # `organizations/foo` has a `Policy` with: 331 # {enforced: true} 332 # `projects/bar` has a `Policy` with: 333 # {RestoreDefault: {}} 334 # The constraint at `organizations/foo` is enforced. 335 # The constraint at `projects/bar` is not enforced, because 336 # `constraint_default` for the `Constraint` is `ALLOW`. 337 }, 338 "version": 42, # Version of the `Policy`. Default version is 0; 339 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 340 # concurrency control. 341 # 342 # When the `Policy` is returned from either a `GetPolicy` or a 343 # `ListOrgPolicy` request, this `etag` indicates the version of the current 344 # `Policy` to use when executing a read-modify-write loop. 345 # 346 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 347 # `etag` will be unset. 348 # 349 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 350 # that was returned from a `GetOrgPolicy` request as part of a 351 # read-modify-write loop for concurrency control. Not setting the `etag`in a 352 # `SetOrgPolicy` request will result in an unconditional write of the 353 # `Policy`. 354 }</pre> 355 </div> 356 357 <div class="method"> 358 <code class="details" id="getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</code> 359 <pre>Gets a `Policy` on a resource. 360 361 If no `Policy` is set on the resource, a `Policy` is returned with default 362 values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The 363 `etag` value can be used with `SetOrgPolicy()` to create or update a 364 `Policy` during read-modify-write. 365 366 Args: 367 resource: string, Name of the resource the `Policy` is set on. (required) 368 body: object, The request body. (required) 369 The object takes the form of: 370 371 { # The request sent to the GetOrgPolicy method. 372 "constraint": "A String", # Name of the `Constraint` to get the `Policy`. 373 } 374 375 x__xgafv: string, V1 error format. 376 Allowed values 377 1 - v1 error format 378 2 - v2 error format 379 380 Returns: 381 An object of the form: 382 383 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 384 # for configurations of Cloud Platform resources. 385 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 386 # server, not specified by the caller, and represents the last time a call to 387 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 388 # be ignored. 389 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 390 # `constraints/serviceuser.services`. 391 # 392 # Immutable after creation. 393 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 394 # `Constraint` type. 395 # `constraint_default` enforcement behavior of the specific `Constraint` at 396 # this resource. 397 # 398 # Suppose that `constraint_default` is set to `ALLOW` for the 399 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 400 # foo.com sets a `Policy` at their Organization resource node that restricts 401 # the allowed service activations to deny all service activations. They 402 # could then set a `Policy` with the `policy_type` `restore_default` on 403 # several experimental projects, restoring the `constraint_default` 404 # enforcement of the `Constraint` for only those projects, allowing those 405 # projects to have all services activated. 406 }, 407 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 408 # resource. 409 # 410 # A `ListPolicy` can define specific values that are allowed or denied by 411 # setting either the `allowed_values` or `denied_values` fields. It can also 412 # be used to allow or deny all values, by setting the `all_values` field. If 413 # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` 414 # or `denied_values` must be set (attempting to set both or neither will 415 # result in a failed request). If `all_values` is set to either `ALLOW` or 416 # `DENY`, `allowed_values` and `denied_values` must be unset. 417 "allValues": "A String", # The policy all_values state. 418 "allowedValues": [ # List of values allowed at this resource. an only be set if no values are 419 # set for `denied_values` and `all_values` is set to 420 # `ALL_VALUES_UNSPECIFIED`. 421 "A String", 422 ], 423 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 424 # 425 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 426 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 427 # set to `true`, then the values from the effective `Policy` of the parent 428 # resource are inherited, meaning the values set in this `Policy` are 429 # added to the values inherited up the hierarchy. 430 # 431 # Setting `Policy` hierarchies that inherit both allowed values and denied 432 # values isn't recommended in most circumstances to keep the configuration 433 # simple and understandable. However, it is possible to set a `Policy` with 434 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 435 # In this case, the values that are allowed must be in `allowed_values` and 436 # not present in `denied_values`. 437 # 438 # For example, suppose you have a `Constraint` 439 # `constraints/serviceuser.services`, which has a `constraint_type` of 440 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 441 # Suppose that at the Organization level, a `Policy` is applied that 442 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 443 # `Policy` is applied to a project below the Organization that has 444 # `inherit_from_parent` set to `false` and field all_values set to DENY, 445 # then an attempt to activate any API will be denied. 446 # 447 # The following examples demonstrate different possible layerings: 448 # 449 # Example 1 (no inherited values): 450 # `organizations/foo` has a `Policy` with values: 451 # {allowed_values: E1 allowed_values:E2} 452 # ``projects/bar`` has `inherit_from_parent` `false` and values: 453 # {allowed_values: "E3" allowed_values: "E4"} 454 # The accepted values at `organizations/foo` are `E1`, `E2`. 455 # The accepted values at `projects/bar` are `E3`, and `E4`. 456 # 457 # Example 2 (inherited values): 458 # `organizations/foo` has a `Policy` with values: 459 # {allowed_values: E1 allowed_values:E2} 460 # `projects/bar` has a `Policy` with values: 461 # {value: E3 value: E4 inherit_from_parent: true} 462 # The accepted values at `organizations/foo` are `E1`, `E2`. 463 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 464 # 465 # Example 3 (inheriting both allowed and denied values): 466 # `organizations/foo` has a `Policy` with values: 467 # {allowed_values: "E1" allowed_values: "E2"} 468 # `projects/bar` has a `Policy` with: 469 # {denied_values: "E1"} 470 # The accepted values at `organizations/foo` are `E1`, `E2`. 471 # The value accepted at `projects/bar` is `E2`. 472 # 473 # Example 4 (RestoreDefault): 474 # `organizations/foo` has a `Policy` with values: 475 # {allowed_values: E1 allowed_values:E2} 476 # `projects/bar` has a `Policy` with values: 477 # {RestoreDefault: {}} 478 # The accepted values at `organizations/foo` are `E1`, `E2`. 479 # The accepted values at `projects/bar` are either all or none depending on 480 # the value of `constraint_default` (if `ALLOW`, all; if 481 # `DENY`, none). 482 # 483 # Example 5 (no policy inherits parent policy): 484 # `organizations/foo` has no `Policy` set. 485 # `projects/bar` has no `Policy` set. 486 # The accepted values at both levels are either all or none depending on 487 # the value of `constraint_default` (if `ALLOW`, all; if 488 # `DENY`, none). 489 # 490 # Example 6 (ListConstraint allowing all): 491 # `organizations/foo` has a `Policy` with values: 492 # {allowed_values: E1 allowed_values: E2} 493 # `projects/bar` has a `Policy` with: 494 # {all: ALLOW} 495 # The accepted values at `organizations/foo` are `E1`, E2`. 496 # Any value is accepted at `projects/bar`. 497 # 498 # Example 7 (ListConstraint allowing none): 499 # `organizations/foo` has a `Policy` with values: 500 # {allowed_values: E1 allowed_values: E2} 501 # `projects/bar` has a `Policy` with: 502 # {all: DENY} 503 # The accepted values at `organizations/foo` are `E1`, E2`. 504 # No value is accepted at `projects/bar`. 505 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 506 # that matches the value specified in this `Policy`. If `suggested_value` 507 # is not set, it will inherit the value specified higher in the hierarchy, 508 # unless `inherit_from_parent` is `false`. 509 "deniedValues": [ # List of values denied at this resource. Can only be set if no values are 510 # set for `allowed_values` and `all_values` is set to 511 # `ALL_VALUES_UNSPECIFIED`. 512 "A String", 513 ], 514 }, 515 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 516 # resource. 517 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 518 # configuration is acceptable. 519 # 520 # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` 521 # with `constraint_default` set to `ALLOW`. A `Policy` for that 522 # `Constraint` exhibits the following behavior: 523 # - If the `Policy` at this resource has enforced set to `false`, serial 524 # port connection attempts will be allowed. 525 # - If the `Policy` at this resource has enforced set to `true`, serial 526 # port connection attempts will be refused. 527 # - If the `Policy` at this resource is `RestoreDefault`, serial port 528 # connection attempts will be allowed. 529 # - If no `Policy` is set at this resource or anywhere higher in the 530 # resource hierarchy, serial port connection attempts will be allowed. 531 # - If no `Policy` is set at this resource, but one exists higher in the 532 # resource hierarchy, the behavior is as if the`Policy` were set at 533 # this resource. 534 # 535 # The following examples demonstrate the different possible layerings: 536 # 537 # Example 1 (nearest `Constraint` wins): 538 # `organizations/foo` has a `Policy` with: 539 # {enforced: false} 540 # `projects/bar` has no `Policy` set. 541 # The constraint at `projects/bar` and `organizations/foo` will not be 542 # enforced. 543 # 544 # Example 2 (enforcement gets replaced): 545 # `organizations/foo` has a `Policy` with: 546 # {enforced: false} 547 # `projects/bar` has a `Policy` with: 548 # {enforced: true} 549 # The constraint at `organizations/foo` is not enforced. 550 # The constraint at `projects/bar` is enforced. 551 # 552 # Example 3 (RestoreDefault): 553 # `organizations/foo` has a `Policy` with: 554 # {enforced: true} 555 # `projects/bar` has a `Policy` with: 556 # {RestoreDefault: {}} 557 # The constraint at `organizations/foo` is enforced. 558 # The constraint at `projects/bar` is not enforced, because 559 # `constraint_default` for the `Constraint` is `ALLOW`. 560 }, 561 "version": 42, # Version of the `Policy`. Default version is 0; 562 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 563 # concurrency control. 564 # 565 # When the `Policy` is returned from either a `GetPolicy` or a 566 # `ListOrgPolicy` request, this `etag` indicates the version of the current 567 # `Policy` to use when executing a read-modify-write loop. 568 # 569 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 570 # `etag` will be unset. 571 # 572 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 573 # that was returned from a `GetOrgPolicy` request as part of a 574 # read-modify-write loop for concurrency control. Not setting the `etag`in a 575 # `SetOrgPolicy` request will result in an unconditional write of the 576 # `Policy`. 577 }</pre> 578 </div> 579 580 <div class="method"> 581 <code class="details" id="listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</code> 582 <pre>Lists `Constraints` that could be applied on the specified resource. 583 584 Args: 585 resource: string, Name of the resource to list `Constraints` for. (required) 586 body: object, The request body. (required) 587 The object takes the form of: 588 589 { # The request sent to the [ListAvailableOrgPolicyConstraints] 590 # google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method. 591 "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported 592 # and will be ignored. The server may at any point start using this field. 593 "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will 594 # be ignored. The server may at any point start using this field to limit 595 # page size. 596 } 597 598 x__xgafv: string, V1 error format. 599 Allowed values 600 1 - v1 error format 601 2 - v2 error format 602 603 Returns: 604 An object of the form: 605 606 { # The response returned from the ListAvailableOrgPolicyConstraints method. 607 # Returns all `Constraints` that could be set at this level of the hierarchy 608 # (contrast with the response from `ListPolicies`, which returns all policies 609 # which are set). 610 "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used. 611 "constraints": [ # The collection of constraints that are settable on the request resource. 612 { # A `Constraint` describes a way in which a resource's configuration can be 613 # restricted. For example, it controls which cloud services can be activated 614 # across an organization, or whether a Compute Engine instance can have 615 # serial port connections established. `Constraints` can be configured by the 616 # organization's policy adminstrator to fit the needs of the organzation by 617 # setting Policies for `Constraints` at different locations in the 618 # organization's resource hierarchy. Policies are inherited down the resource 619 # hierarchy from higher levels, but can also be overridden. For details about 620 # the inheritance rules please read about 621 # Policies. 622 # 623 # `Constraints` have a default behavior determined by the `constraint_default` 624 # field, which is the enforcement behavior that is used in the absence of a 625 # `Policy` being defined or inherited for the resource in question. 626 "constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'. 627 "displayName": "A String", # The human readable name. 628 # 629 # Mutable. 630 "description": "A String", # Detailed description of what this `Constraint` controls as well as how and 631 # where it is enforced. 632 # 633 # Mutable. 634 "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint. 635 # 636 # For example a constraint `constraints/compute.disableSerialPortAccess`. 637 # If it is enforced on a VM instance, serial port connections will not be 638 # opened to that instance. 639 }, 640 "version": 42, # Version of the `Constraint`. Default version is 0; 641 "listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint. 642 # configured by an Organization's policy administrator with a `Policy`. 643 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 644 # that matches the value specified in this `Constraint`. 645 }, 646 "name": "A String", # Immutable value, required to globally be unique. For example, 647 # `constraints/serviceuser.services` 648 }, 649 ], 650 }</pre> 651 </div> 652 653 <div class="method"> 654 <code class="details" id="listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</code> 655 <pre>Retrieves the next page of results. 656 657 Args: 658 previous_request: The request for the previous page. (required) 659 previous_response: The response from the request for the previous page. (required) 660 661 Returns: 662 A request object that you can call 'execute()' on to request the next 663 page. Returns None if there are no more items in the collection. 664 </pre> 665 </div> 666 667 <div class="method"> 668 <code class="details" id="listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</code> 669 <pre>Lists all the `Policies` set for a particular resource. 670 671 Args: 672 resource: string, Name of the resource to list Policies for. (required) 673 body: object, The request body. (required) 674 The object takes the form of: 675 676 { # The request sent to the ListOrgPolicies method. 677 "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported 678 # and will be ignored. The server may at any point start using this field. 679 "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will 680 # be ignored. The server may at any point start using this field to limit 681 # page size. 682 } 683 684 x__xgafv: string, V1 error format. 685 Allowed values 686 1 - v1 error format 687 2 - v2 error format 688 689 Returns: 690 An object of the form: 691 692 { # The response returned from the ListOrgPolicies method. It will be empty 693 # if no `Policies` are set on the resource. 694 "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but 695 # the server may at any point start supplying a valid token. 696 "policies": [ # The `Policies` that are set on the resource. It will be empty if no 697 # `Policies` are set. 698 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 699 # for configurations of Cloud Platform resources. 700 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 701 # server, not specified by the caller, and represents the last time a call to 702 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 703 # be ignored. 704 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 705 # `constraints/serviceuser.services`. 706 # 707 # Immutable after creation. 708 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 709 # `Constraint` type. 710 # `constraint_default` enforcement behavior of the specific `Constraint` at 711 # this resource. 712 # 713 # Suppose that `constraint_default` is set to `ALLOW` for the 714 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 715 # foo.com sets a `Policy` at their Organization resource node that restricts 716 # the allowed service activations to deny all service activations. They 717 # could then set a `Policy` with the `policy_type` `restore_default` on 718 # several experimental projects, restoring the `constraint_default` 719 # enforcement of the `Constraint` for only those projects, allowing those 720 # projects to have all services activated. 721 }, 722 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 723 # resource. 724 # 725 # A `ListPolicy` can define specific values that are allowed or denied by 726 # setting either the `allowed_values` or `denied_values` fields. It can also 727 # be used to allow or deny all values, by setting the `all_values` field. If 728 # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` 729 # or `denied_values` must be set (attempting to set both or neither will 730 # result in a failed request). If `all_values` is set to either `ALLOW` or 731 # `DENY`, `allowed_values` and `denied_values` must be unset. 732 "allValues": "A String", # The policy all_values state. 733 "allowedValues": [ # List of values allowed at this resource. an only be set if no values are 734 # set for `denied_values` and `all_values` is set to 735 # `ALL_VALUES_UNSPECIFIED`. 736 "A String", 737 ], 738 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 739 # 740 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 741 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 742 # set to `true`, then the values from the effective `Policy` of the parent 743 # resource are inherited, meaning the values set in this `Policy` are 744 # added to the values inherited up the hierarchy. 745 # 746 # Setting `Policy` hierarchies that inherit both allowed values and denied 747 # values isn't recommended in most circumstances to keep the configuration 748 # simple and understandable. However, it is possible to set a `Policy` with 749 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 750 # In this case, the values that are allowed must be in `allowed_values` and 751 # not present in `denied_values`. 752 # 753 # For example, suppose you have a `Constraint` 754 # `constraints/serviceuser.services`, which has a `constraint_type` of 755 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 756 # Suppose that at the Organization level, a `Policy` is applied that 757 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 758 # `Policy` is applied to a project below the Organization that has 759 # `inherit_from_parent` set to `false` and field all_values set to DENY, 760 # then an attempt to activate any API will be denied. 761 # 762 # The following examples demonstrate different possible layerings: 763 # 764 # Example 1 (no inherited values): 765 # `organizations/foo` has a `Policy` with values: 766 # {allowed_values: E1 allowed_values:E2} 767 # ``projects/bar`` has `inherit_from_parent` `false` and values: 768 # {allowed_values: "E3" allowed_values: "E4"} 769 # The accepted values at `organizations/foo` are `E1`, `E2`. 770 # The accepted values at `projects/bar` are `E3`, and `E4`. 771 # 772 # Example 2 (inherited values): 773 # `organizations/foo` has a `Policy` with values: 774 # {allowed_values: E1 allowed_values:E2} 775 # `projects/bar` has a `Policy` with values: 776 # {value: E3 value: E4 inherit_from_parent: true} 777 # The accepted values at `organizations/foo` are `E1`, `E2`. 778 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 779 # 780 # Example 3 (inheriting both allowed and denied values): 781 # `organizations/foo` has a `Policy` with values: 782 # {allowed_values: "E1" allowed_values: "E2"} 783 # `projects/bar` has a `Policy` with: 784 # {denied_values: "E1"} 785 # The accepted values at `organizations/foo` are `E1`, `E2`. 786 # The value accepted at `projects/bar` is `E2`. 787 # 788 # Example 4 (RestoreDefault): 789 # `organizations/foo` has a `Policy` with values: 790 # {allowed_values: E1 allowed_values:E2} 791 # `projects/bar` has a `Policy` with values: 792 # {RestoreDefault: {}} 793 # The accepted values at `organizations/foo` are `E1`, `E2`. 794 # The accepted values at `projects/bar` are either all or none depending on 795 # the value of `constraint_default` (if `ALLOW`, all; if 796 # `DENY`, none). 797 # 798 # Example 5 (no policy inherits parent policy): 799 # `organizations/foo` has no `Policy` set. 800 # `projects/bar` has no `Policy` set. 801 # The accepted values at both levels are either all or none depending on 802 # the value of `constraint_default` (if `ALLOW`, all; if 803 # `DENY`, none). 804 # 805 # Example 6 (ListConstraint allowing all): 806 # `organizations/foo` has a `Policy` with values: 807 # {allowed_values: E1 allowed_values: E2} 808 # `projects/bar` has a `Policy` with: 809 # {all: ALLOW} 810 # The accepted values at `organizations/foo` are `E1`, E2`. 811 # Any value is accepted at `projects/bar`. 812 # 813 # Example 7 (ListConstraint allowing none): 814 # `organizations/foo` has a `Policy` with values: 815 # {allowed_values: E1 allowed_values: E2} 816 # `projects/bar` has a `Policy` with: 817 # {all: DENY} 818 # The accepted values at `organizations/foo` are `E1`, E2`. 819 # No value is accepted at `projects/bar`. 820 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 821 # that matches the value specified in this `Policy`. If `suggested_value` 822 # is not set, it will inherit the value specified higher in the hierarchy, 823 # unless `inherit_from_parent` is `false`. 824 "deniedValues": [ # List of values denied at this resource. Can only be set if no values are 825 # set for `allowed_values` and `all_values` is set to 826 # `ALL_VALUES_UNSPECIFIED`. 827 "A String", 828 ], 829 }, 830 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 831 # resource. 832 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 833 # configuration is acceptable. 834 # 835 # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` 836 # with `constraint_default` set to `ALLOW`. A `Policy` for that 837 # `Constraint` exhibits the following behavior: 838 # - If the `Policy` at this resource has enforced set to `false`, serial 839 # port connection attempts will be allowed. 840 # - If the `Policy` at this resource has enforced set to `true`, serial 841 # port connection attempts will be refused. 842 # - If the `Policy` at this resource is `RestoreDefault`, serial port 843 # connection attempts will be allowed. 844 # - If no `Policy` is set at this resource or anywhere higher in the 845 # resource hierarchy, serial port connection attempts will be allowed. 846 # - If no `Policy` is set at this resource, but one exists higher in the 847 # resource hierarchy, the behavior is as if the`Policy` were set at 848 # this resource. 849 # 850 # The following examples demonstrate the different possible layerings: 851 # 852 # Example 1 (nearest `Constraint` wins): 853 # `organizations/foo` has a `Policy` with: 854 # {enforced: false} 855 # `projects/bar` has no `Policy` set. 856 # The constraint at `projects/bar` and `organizations/foo` will not be 857 # enforced. 858 # 859 # Example 2 (enforcement gets replaced): 860 # `organizations/foo` has a `Policy` with: 861 # {enforced: false} 862 # `projects/bar` has a `Policy` with: 863 # {enforced: true} 864 # The constraint at `organizations/foo` is not enforced. 865 # The constraint at `projects/bar` is enforced. 866 # 867 # Example 3 (RestoreDefault): 868 # `organizations/foo` has a `Policy` with: 869 # {enforced: true} 870 # `projects/bar` has a `Policy` with: 871 # {RestoreDefault: {}} 872 # The constraint at `organizations/foo` is enforced. 873 # The constraint at `projects/bar` is not enforced, because 874 # `constraint_default` for the `Constraint` is `ALLOW`. 875 }, 876 "version": 42, # Version of the `Policy`. Default version is 0; 877 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 878 # concurrency control. 879 # 880 # When the `Policy` is returned from either a `GetPolicy` or a 881 # `ListOrgPolicy` request, this `etag` indicates the version of the current 882 # `Policy` to use when executing a read-modify-write loop. 883 # 884 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 885 # `etag` will be unset. 886 # 887 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 888 # that was returned from a `GetOrgPolicy` request as part of a 889 # read-modify-write loop for concurrency control. Not setting the `etag`in a 890 # `SetOrgPolicy` request will result in an unconditional write of the 891 # `Policy`. 892 }, 893 ], 894 }</pre> 895 </div> 896 897 <div class="method"> 898 <code class="details" id="listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</code> 899 <pre>Retrieves the next page of results. 900 901 Args: 902 previous_request: The request for the previous page. (required) 903 previous_response: The response from the request for the previous page. (required) 904 905 Returns: 906 A request object that you can call 'execute()' on to request the next 907 page. Returns None if there are no more items in the collection. 908 </pre> 909 </div> 910 911 <div class="method"> 912 <code class="details" id="setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</code> 913 <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for 914 that `Constraint` on the resource if one does not exist. 915 916 Not supplying an `etag` on the request `Policy` results in an unconditional 917 write of the `Policy`. 918 919 Args: 920 resource: string, Resource name of the resource to attach the `Policy`. (required) 921 body: object, The request body. (required) 922 The object takes the form of: 923 924 { # The request sent to the SetOrgPolicyRequest method. 925 "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource. 926 # for configurations of Cloud Platform resources. 927 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 928 # server, not specified by the caller, and represents the last time a call to 929 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 930 # be ignored. 931 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 932 # `constraints/serviceuser.services`. 933 # 934 # Immutable after creation. 935 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 936 # `Constraint` type. 937 # `constraint_default` enforcement behavior of the specific `Constraint` at 938 # this resource. 939 # 940 # Suppose that `constraint_default` is set to `ALLOW` for the 941 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 942 # foo.com sets a `Policy` at their Organization resource node that restricts 943 # the allowed service activations to deny all service activations. They 944 # could then set a `Policy` with the `policy_type` `restore_default` on 945 # several experimental projects, restoring the `constraint_default` 946 # enforcement of the `Constraint` for only those projects, allowing those 947 # projects to have all services activated. 948 }, 949 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 950 # resource. 951 # 952 # A `ListPolicy` can define specific values that are allowed or denied by 953 # setting either the `allowed_values` or `denied_values` fields. It can also 954 # be used to allow or deny all values, by setting the `all_values` field. If 955 # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` 956 # or `denied_values` must be set (attempting to set both or neither will 957 # result in a failed request). If `all_values` is set to either `ALLOW` or 958 # `DENY`, `allowed_values` and `denied_values` must be unset. 959 "allValues": "A String", # The policy all_values state. 960 "allowedValues": [ # List of values allowed at this resource. an only be set if no values are 961 # set for `denied_values` and `all_values` is set to 962 # `ALL_VALUES_UNSPECIFIED`. 963 "A String", 964 ], 965 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 966 # 967 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 968 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 969 # set to `true`, then the values from the effective `Policy` of the parent 970 # resource are inherited, meaning the values set in this `Policy` are 971 # added to the values inherited up the hierarchy. 972 # 973 # Setting `Policy` hierarchies that inherit both allowed values and denied 974 # values isn't recommended in most circumstances to keep the configuration 975 # simple and understandable. However, it is possible to set a `Policy` with 976 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 977 # In this case, the values that are allowed must be in `allowed_values` and 978 # not present in `denied_values`. 979 # 980 # For example, suppose you have a `Constraint` 981 # `constraints/serviceuser.services`, which has a `constraint_type` of 982 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 983 # Suppose that at the Organization level, a `Policy` is applied that 984 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 985 # `Policy` is applied to a project below the Organization that has 986 # `inherit_from_parent` set to `false` and field all_values set to DENY, 987 # then an attempt to activate any API will be denied. 988 # 989 # The following examples demonstrate different possible layerings: 990 # 991 # Example 1 (no inherited values): 992 # `organizations/foo` has a `Policy` with values: 993 # {allowed_values: E1 allowed_values:E2} 994 # ``projects/bar`` has `inherit_from_parent` `false` and values: 995 # {allowed_values: "E3" allowed_values: "E4"} 996 # The accepted values at `organizations/foo` are `E1`, `E2`. 997 # The accepted values at `projects/bar` are `E3`, and `E4`. 998 # 999 # Example 2 (inherited values): 1000 # `organizations/foo` has a `Policy` with values: 1001 # {allowed_values: E1 allowed_values:E2} 1002 # `projects/bar` has a `Policy` with values: 1003 # {value: E3 value: E4 inherit_from_parent: true} 1004 # The accepted values at `organizations/foo` are `E1`, `E2`. 1005 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 1006 # 1007 # Example 3 (inheriting both allowed and denied values): 1008 # `organizations/foo` has a `Policy` with values: 1009 # {allowed_values: "E1" allowed_values: "E2"} 1010 # `projects/bar` has a `Policy` with: 1011 # {denied_values: "E1"} 1012 # The accepted values at `organizations/foo` are `E1`, `E2`. 1013 # The value accepted at `projects/bar` is `E2`. 1014 # 1015 # Example 4 (RestoreDefault): 1016 # `organizations/foo` has a `Policy` with values: 1017 # {allowed_values: E1 allowed_values:E2} 1018 # `projects/bar` has a `Policy` with values: 1019 # {RestoreDefault: {}} 1020 # The accepted values at `organizations/foo` are `E1`, `E2`. 1021 # The accepted values at `projects/bar` are either all or none depending on 1022 # the value of `constraint_default` (if `ALLOW`, all; if 1023 # `DENY`, none). 1024 # 1025 # Example 5 (no policy inherits parent policy): 1026 # `organizations/foo` has no `Policy` set. 1027 # `projects/bar` has no `Policy` set. 1028 # The accepted values at both levels are either all or none depending on 1029 # the value of `constraint_default` (if `ALLOW`, all; if 1030 # `DENY`, none). 1031 # 1032 # Example 6 (ListConstraint allowing all): 1033 # `organizations/foo` has a `Policy` with values: 1034 # {allowed_values: E1 allowed_values: E2} 1035 # `projects/bar` has a `Policy` with: 1036 # {all: ALLOW} 1037 # The accepted values at `organizations/foo` are `E1`, E2`. 1038 # Any value is accepted at `projects/bar`. 1039 # 1040 # Example 7 (ListConstraint allowing none): 1041 # `organizations/foo` has a `Policy` with values: 1042 # {allowed_values: E1 allowed_values: E2} 1043 # `projects/bar` has a `Policy` with: 1044 # {all: DENY} 1045 # The accepted values at `organizations/foo` are `E1`, E2`. 1046 # No value is accepted at `projects/bar`. 1047 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 1048 # that matches the value specified in this `Policy`. If `suggested_value` 1049 # is not set, it will inherit the value specified higher in the hierarchy, 1050 # unless `inherit_from_parent` is `false`. 1051 "deniedValues": [ # List of values denied at this resource. Can only be set if no values are 1052 # set for `allowed_values` and `all_values` is set to 1053 # `ALL_VALUES_UNSPECIFIED`. 1054 "A String", 1055 ], 1056 }, 1057 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 1058 # resource. 1059 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 1060 # configuration is acceptable. 1061 # 1062 # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` 1063 # with `constraint_default` set to `ALLOW`. A `Policy` for that 1064 # `Constraint` exhibits the following behavior: 1065 # - If the `Policy` at this resource has enforced set to `false`, serial 1066 # port connection attempts will be allowed. 1067 # - If the `Policy` at this resource has enforced set to `true`, serial 1068 # port connection attempts will be refused. 1069 # - If the `Policy` at this resource is `RestoreDefault`, serial port 1070 # connection attempts will be allowed. 1071 # - If no `Policy` is set at this resource or anywhere higher in the 1072 # resource hierarchy, serial port connection attempts will be allowed. 1073 # - If no `Policy` is set at this resource, but one exists higher in the 1074 # resource hierarchy, the behavior is as if the`Policy` were set at 1075 # this resource. 1076 # 1077 # The following examples demonstrate the different possible layerings: 1078 # 1079 # Example 1 (nearest `Constraint` wins): 1080 # `organizations/foo` has a `Policy` with: 1081 # {enforced: false} 1082 # `projects/bar` has no `Policy` set. 1083 # The constraint at `projects/bar` and `organizations/foo` will not be 1084 # enforced. 1085 # 1086 # Example 2 (enforcement gets replaced): 1087 # `organizations/foo` has a `Policy` with: 1088 # {enforced: false} 1089 # `projects/bar` has a `Policy` with: 1090 # {enforced: true} 1091 # The constraint at `organizations/foo` is not enforced. 1092 # The constraint at `projects/bar` is enforced. 1093 # 1094 # Example 3 (RestoreDefault): 1095 # `organizations/foo` has a `Policy` with: 1096 # {enforced: true} 1097 # `projects/bar` has a `Policy` with: 1098 # {RestoreDefault: {}} 1099 # The constraint at `organizations/foo` is enforced. 1100 # The constraint at `projects/bar` is not enforced, because 1101 # `constraint_default` for the `Constraint` is `ALLOW`. 1102 }, 1103 "version": 42, # Version of the `Policy`. Default version is 0; 1104 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 1105 # concurrency control. 1106 # 1107 # When the `Policy` is returned from either a `GetPolicy` or a 1108 # `ListOrgPolicy` request, this `etag` indicates the version of the current 1109 # `Policy` to use when executing a read-modify-write loop. 1110 # 1111 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 1112 # `etag` will be unset. 1113 # 1114 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 1115 # that was returned from a `GetOrgPolicy` request as part of a 1116 # read-modify-write loop for concurrency control. Not setting the `etag`in a 1117 # `SetOrgPolicy` request will result in an unconditional write of the 1118 # `Policy`. 1119 }, 1120 } 1121 1122 x__xgafv: string, V1 error format. 1123 Allowed values 1124 1 - v1 error format 1125 2 - v2 error format 1126 1127 Returns: 1128 An object of the form: 1129 1130 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 1131 # for configurations of Cloud Platform resources. 1132 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 1133 # server, not specified by the caller, and represents the last time a call to 1134 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 1135 # be ignored. 1136 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 1137 # `constraints/serviceuser.services`. 1138 # 1139 # Immutable after creation. 1140 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 1141 # `Constraint` type. 1142 # `constraint_default` enforcement behavior of the specific `Constraint` at 1143 # this resource. 1144 # 1145 # Suppose that `constraint_default` is set to `ALLOW` for the 1146 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 1147 # foo.com sets a `Policy` at their Organization resource node that restricts 1148 # the allowed service activations to deny all service activations. They 1149 # could then set a `Policy` with the `policy_type` `restore_default` on 1150 # several experimental projects, restoring the `constraint_default` 1151 # enforcement of the `Constraint` for only those projects, allowing those 1152 # projects to have all services activated. 1153 }, 1154 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 1155 # resource. 1156 # 1157 # A `ListPolicy` can define specific values that are allowed or denied by 1158 # setting either the `allowed_values` or `denied_values` fields. It can also 1159 # be used to allow or deny all values, by setting the `all_values` field. If 1160 # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` 1161 # or `denied_values` must be set (attempting to set both or neither will 1162 # result in a failed request). If `all_values` is set to either `ALLOW` or 1163 # `DENY`, `allowed_values` and `denied_values` must be unset. 1164 "allValues": "A String", # The policy all_values state. 1165 "allowedValues": [ # List of values allowed at this resource. an only be set if no values are 1166 # set for `denied_values` and `all_values` is set to 1167 # `ALL_VALUES_UNSPECIFIED`. 1168 "A String", 1169 ], 1170 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 1171 # 1172 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 1173 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 1174 # set to `true`, then the values from the effective `Policy` of the parent 1175 # resource are inherited, meaning the values set in this `Policy` are 1176 # added to the values inherited up the hierarchy. 1177 # 1178 # Setting `Policy` hierarchies that inherit both allowed values and denied 1179 # values isn't recommended in most circumstances to keep the configuration 1180 # simple and understandable. However, it is possible to set a `Policy` with 1181 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 1182 # In this case, the values that are allowed must be in `allowed_values` and 1183 # not present in `denied_values`. 1184 # 1185 # For example, suppose you have a `Constraint` 1186 # `constraints/serviceuser.services`, which has a `constraint_type` of 1187 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 1188 # Suppose that at the Organization level, a `Policy` is applied that 1189 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 1190 # `Policy` is applied to a project below the Organization that has 1191 # `inherit_from_parent` set to `false` and field all_values set to DENY, 1192 # then an attempt to activate any API will be denied. 1193 # 1194 # The following examples demonstrate different possible layerings: 1195 # 1196 # Example 1 (no inherited values): 1197 # `organizations/foo` has a `Policy` with values: 1198 # {allowed_values: E1 allowed_values:E2} 1199 # ``projects/bar`` has `inherit_from_parent` `false` and values: 1200 # {allowed_values: "E3" allowed_values: "E4"} 1201 # The accepted values at `organizations/foo` are `E1`, `E2`. 1202 # The accepted values at `projects/bar` are `E3`, and `E4`. 1203 # 1204 # Example 2 (inherited values): 1205 # `organizations/foo` has a `Policy` with values: 1206 # {allowed_values: E1 allowed_values:E2} 1207 # `projects/bar` has a `Policy` with values: 1208 # {value: E3 value: E4 inherit_from_parent: true} 1209 # The accepted values at `organizations/foo` are `E1`, `E2`. 1210 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 1211 # 1212 # Example 3 (inheriting both allowed and denied values): 1213 # `organizations/foo` has a `Policy` with values: 1214 # {allowed_values: "E1" allowed_values: "E2"} 1215 # `projects/bar` has a `Policy` with: 1216 # {denied_values: "E1"} 1217 # The accepted values at `organizations/foo` are `E1`, `E2`. 1218 # The value accepted at `projects/bar` is `E2`. 1219 # 1220 # Example 4 (RestoreDefault): 1221 # `organizations/foo` has a `Policy` with values: 1222 # {allowed_values: E1 allowed_values:E2} 1223 # `projects/bar` has a `Policy` with values: 1224 # {RestoreDefault: {}} 1225 # The accepted values at `organizations/foo` are `E1`, `E2`. 1226 # The accepted values at `projects/bar` are either all or none depending on 1227 # the value of `constraint_default` (if `ALLOW`, all; if 1228 # `DENY`, none). 1229 # 1230 # Example 5 (no policy inherits parent policy): 1231 # `organizations/foo` has no `Policy` set. 1232 # `projects/bar` has no `Policy` set. 1233 # The accepted values at both levels are either all or none depending on 1234 # the value of `constraint_default` (if `ALLOW`, all; if 1235 # `DENY`, none). 1236 # 1237 # Example 6 (ListConstraint allowing all): 1238 # `organizations/foo` has a `Policy` with values: 1239 # {allowed_values: E1 allowed_values: E2} 1240 # `projects/bar` has a `Policy` with: 1241 # {all: ALLOW} 1242 # The accepted values at `organizations/foo` are `E1`, E2`. 1243 # Any value is accepted at `projects/bar`. 1244 # 1245 # Example 7 (ListConstraint allowing none): 1246 # `organizations/foo` has a `Policy` with values: 1247 # {allowed_values: E1 allowed_values: E2} 1248 # `projects/bar` has a `Policy` with: 1249 # {all: DENY} 1250 # The accepted values at `organizations/foo` are `E1`, E2`. 1251 # No value is accepted at `projects/bar`. 1252 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 1253 # that matches the value specified in this `Policy`. If `suggested_value` 1254 # is not set, it will inherit the value specified higher in the hierarchy, 1255 # unless `inherit_from_parent` is `false`. 1256 "deniedValues": [ # List of values denied at this resource. Can only be set if no values are 1257 # set for `allowed_values` and `all_values` is set to 1258 # `ALL_VALUES_UNSPECIFIED`. 1259 "A String", 1260 ], 1261 }, 1262 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 1263 # resource. 1264 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 1265 # configuration is acceptable. 1266 # 1267 # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` 1268 # with `constraint_default` set to `ALLOW`. A `Policy` for that 1269 # `Constraint` exhibits the following behavior: 1270 # - If the `Policy` at this resource has enforced set to `false`, serial 1271 # port connection attempts will be allowed. 1272 # - If the `Policy` at this resource has enforced set to `true`, serial 1273 # port connection attempts will be refused. 1274 # - If the `Policy` at this resource is `RestoreDefault`, serial port 1275 # connection attempts will be allowed. 1276 # - If no `Policy` is set at this resource or anywhere higher in the 1277 # resource hierarchy, serial port connection attempts will be allowed. 1278 # - If no `Policy` is set at this resource, but one exists higher in the 1279 # resource hierarchy, the behavior is as if the`Policy` were set at 1280 # this resource. 1281 # 1282 # The following examples demonstrate the different possible layerings: 1283 # 1284 # Example 1 (nearest `Constraint` wins): 1285 # `organizations/foo` has a `Policy` with: 1286 # {enforced: false} 1287 # `projects/bar` has no `Policy` set. 1288 # The constraint at `projects/bar` and `organizations/foo` will not be 1289 # enforced. 1290 # 1291 # Example 2 (enforcement gets replaced): 1292 # `organizations/foo` has a `Policy` with: 1293 # {enforced: false} 1294 # `projects/bar` has a `Policy` with: 1295 # {enforced: true} 1296 # The constraint at `organizations/foo` is not enforced. 1297 # The constraint at `projects/bar` is enforced. 1298 # 1299 # Example 3 (RestoreDefault): 1300 # `organizations/foo` has a `Policy` with: 1301 # {enforced: true} 1302 # `projects/bar` has a `Policy` with: 1303 # {RestoreDefault: {}} 1304 # The constraint at `organizations/foo` is enforced. 1305 # The constraint at `projects/bar` is not enforced, because 1306 # `constraint_default` for the `Constraint` is `ALLOW`. 1307 }, 1308 "version": 42, # Version of the `Policy`. Default version is 0; 1309 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 1310 # concurrency control. 1311 # 1312 # When the `Policy` is returned from either a `GetPolicy` or a 1313 # `ListOrgPolicy` request, this `etag` indicates the version of the current 1314 # `Policy` to use when executing a read-modify-write loop. 1315 # 1316 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 1317 # `etag` will be unset. 1318 # 1319 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 1320 # that was returned from a `GetOrgPolicy` request as part of a 1321 # read-modify-write loop for concurrency control. Not setting the `etag`in a 1322 # `SetOrgPolicy` request will result in an unconditional write of the 1323 # `Policy`. 1324 }</pre> 1325 </div> 1326 1327 </body></html>
