1 <html><body> 2 <style> 3 4 body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13 } 14 15 body { 16 font-size: 13px; 17 padding: 1em; 18 } 19 20 h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23 } 24 25 h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28 } 29 30 h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34 } 35 36 pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39 } 40 41 pre { 42 margin-top: 0.5em; 43 } 44 45 h1, h2, h3, p { 46 font-family: Arial, sans serif; 47 } 48 49 h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51 } 52 53 .toc_element { 54 margin-top: 0.5em; 55 } 56 57 .firstline { 58 margin-left: 2 em; 59 } 60 61 .method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66 } 67 68 .details { 69 font-weight: bold; 70 font-size: 14px; 71 } 72 73 </style> 74 75 <h1><a href="cloudresourcemanager_v1.html">Google Cloud Resource Manager API</a> . <a href="cloudresourcemanager_v1.organizations.html">organizations</a></h1> 76 <h2>Instance Methods</h2> 77 <p class="toc_element"> 78 <code><a href="#clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 79 <p class="firstline">Clears a `Policy` from a resource.</p> 80 <p class="toc_element"> 81 <code><a href="#get">get(name, x__xgafv=None)</a></code></p> 82 <p class="firstline">Fetches an Organization resource identified by the specified resource name.</p> 83 <p class="toc_element"> 84 <code><a href="#getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 85 <p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging</p> 86 <p class="toc_element"> 87 <code><a href="#getIamPolicy">getIamPolicy(resource, body, x__xgafv=None)</a></code></p> 88 <p class="firstline">Gets the access control policy for an Organization resource. May be empty</p> 89 <p class="toc_element"> 90 <code><a href="#getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 91 <p class="firstline">Gets a `Policy` on a resource.</p> 92 <p class="toc_element"> 93 <code><a href="#listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</a></code></p> 94 <p class="firstline">Lists `Constraints` that could be applied on the specified resource.</p> 95 <p class="toc_element"> 96 <code><a href="#listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</a></code></p> 97 <p class="firstline">Retrieves the next page of results.</p> 98 <p class="toc_element"> 99 <code><a href="#listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</a></code></p> 100 <p class="firstline">Lists all the `Policies` set for a particular resource.</p> 101 <p class="toc_element"> 102 <code><a href="#listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</a></code></p> 103 <p class="firstline">Retrieves the next page of results.</p> 104 <p class="toc_element"> 105 <code><a href="#search">search(body, x__xgafv=None)</a></code></p> 106 <p class="firstline">Searches Organization resources that are visible to the user and satisfy</p> 107 <p class="toc_element"> 108 <code><a href="#search_next">search_next(previous_request, previous_response)</a></code></p> 109 <p class="firstline">Retrieves the next page of results.</p> 110 <p class="toc_element"> 111 <code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p> 112 <p class="firstline">Sets the access control policy on an Organization resource. Replaces any</p> 113 <p class="toc_element"> 114 <code><a href="#setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 115 <p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for</p> 116 <p class="toc_element"> 117 <code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p> 118 <p class="firstline">Returns permissions that a caller has on the specified Organization.</p> 119 <h3>Method Details</h3> 120 <div class="method"> 121 <code class="details" id="clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</code> 122 <pre>Clears a `Policy` from a resource. 123 124 Args: 125 resource: string, Name of the resource for the `Policy` to clear. (required) 126 body: object, The request body. (required) 127 The object takes the form of: 128 129 { # The request sent to the ClearOrgPolicy method. 130 "etag": "A String", # The current version, for concurrency control. Not sending an `etag` 131 # will cause the `Policy` to be cleared blindly. 132 "constraint": "A String", # Name of the `Constraint` of the `Policy` to clear. 133 } 134 135 x__xgafv: string, V1 error format. 136 Allowed values 137 1 - v1 error format 138 2 - v2 error format 139 140 Returns: 141 An object of the form: 142 143 { # A generic empty message that you can re-use to avoid defining duplicated 144 # empty messages in your APIs. A typical example is to use it as the request 145 # or the response type of an API method. For instance: 146 # 147 # service Foo { 148 # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); 149 # } 150 # 151 # The JSON representation for `Empty` is empty JSON object `{}`. 152 }</pre> 153 </div> 154 155 <div class="method"> 156 <code class="details" id="get">get(name, x__xgafv=None)</code> 157 <pre>Fetches an Organization resource identified by the specified resource name. 158 159 Args: 160 name: string, The resource name of the Organization to fetch, e.g. "organizations/1234". (required) 161 x__xgafv: string, V1 error format. 162 Allowed values 163 1 - v1 error format 164 2 - v2 error format 165 166 Returns: 167 An object of the form: 168 169 { # The root node in the resource hierarchy to which a particular entity's 170 # (e.g., company) resources belong. 171 "owner": { # The entity that owns an Organization. The lifetime of the Organization and # The owner of this Organization. The owner should be specified on 172 # creation. Once set, it cannot be changed. 173 # This field is required. 174 # all of its descendants are bound to the `OrganizationOwner`. If the 175 # `OrganizationOwner` is deleted, the Organization and all its descendants will 176 # be deleted. 177 "directoryCustomerId": "A String", # The Google for Work customer id used in the Directory API. 178 }, 179 "creationTime": "A String", # Timestamp when the Organization was created. Assigned by the server. 180 # @OutputOnly 181 "displayName": "A String", # A friendly string to be used to refer to the Organization in the UI. 182 # Assigned by the server, set to the primary domain of the G Suite 183 # customer that owns the organization. 184 # @OutputOnly 185 "name": "A String", # Output Only. The resource name of the organization. This is the 186 # organization's relative path in the API. Its format is 187 # "organizations/[organization_id]". For example, "organizations/1234". 188 "lifecycleState": "A String", # The organization's current lifecycle state. Assigned by the server. 189 # @OutputOnly 190 }</pre> 191 </div> 192 193 <div class="method"> 194 <code class="details" id="getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</code> 195 <pre>Gets the effective `Policy` on a resource. This is the result of merging 196 `Policies` in the resource hierarchy. The returned `Policy` will not have 197 an `etag`set because it is a computed `Policy` across multiple resources. 198 199 Args: 200 resource: string, The name of the resource to start computing the effective `Policy`. (required) 201 body: object, The request body. (required) 202 The object takes the form of: 203 204 { # The request sent to the GetEffectiveOrgPolicy method. 205 "constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`. 206 } 207 208 x__xgafv: string, V1 error format. 209 Allowed values 210 1 - v1 error format 211 2 - v2 error format 212 213 Returns: 214 An object of the form: 215 216 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 217 # for configurations of Cloud Platform resources. 218 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 219 # server, not specified by the caller, and represents the last time a call to 220 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 221 # be ignored. 222 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 223 # `constraints/serviceuser.services`. 224 # 225 # Immutable after creation. 226 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 227 # `Constraint` type. 228 # `constraint_default` enforcement behavior of the specific `Constraint` at 229 # this resource. 230 # 231 # Suppose that `constraint_default` is set to `ALLOW` for the 232 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 233 # foo.com sets a `Policy` at their Organization resource node that restricts 234 # the allowed service activations to deny all service activations. They 235 # could then set a `Policy` with the `policy_type` `restore_default` on 236 # several experimental projects, restoring the `constraint_default` 237 # enforcement of the `Constraint` for only those projects, allowing those 238 # projects to have all services activated. 239 }, 240 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 241 # resource. 242 # 243 # A `ListPolicy` can define specific values that are allowed or denied by 244 # setting either the `allowed_values` or `denied_values` fields. It can also 245 # be used to allow or deny all values, by setting the `all_values` field. If 246 # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` 247 # or `denied_values` must be set (attempting to set both or neither will 248 # result in a failed request). If `all_values` is set to either `ALLOW` or 249 # `DENY`, `allowed_values` and `denied_values` must be unset. 250 "allValues": "A String", # The policy all_values state. 251 "allowedValues": [ # List of values allowed at this resource. an only be set if no values are 252 # set for `denied_values` and `all_values` is set to 253 # `ALL_VALUES_UNSPECIFIED`. 254 "A String", 255 ], 256 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 257 # 258 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 259 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 260 # set to `true`, then the values from the effective `Policy` of the parent 261 # resource are inherited, meaning the values set in this `Policy` are 262 # added to the values inherited up the hierarchy. 263 # 264 # Setting `Policy` hierarchies that inherit both allowed values and denied 265 # values isn't recommended in most circumstances to keep the configuration 266 # simple and understandable. However, it is possible to set a `Policy` with 267 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 268 # In this case, the values that are allowed must be in `allowed_values` and 269 # not present in `denied_values`. 270 # 271 # For example, suppose you have a `Constraint` 272 # `constraints/serviceuser.services`, which has a `constraint_type` of 273 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 274 # Suppose that at the Organization level, a `Policy` is applied that 275 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 276 # `Policy` is applied to a project below the Organization that has 277 # `inherit_from_parent` set to `false` and field all_values set to DENY, 278 # then an attempt to activate any API will be denied. 279 # 280 # The following examples demonstrate different possible layerings: 281 # 282 # Example 1 (no inherited values): 283 # `organizations/foo` has a `Policy` with values: 284 # {allowed_values: E1 allowed_values:E2} 285 # ``projects/bar`` has `inherit_from_parent` `false` and values: 286 # {allowed_values: "E3" allowed_values: "E4"} 287 # The accepted values at `organizations/foo` are `E1`, `E2`. 288 # The accepted values at `projects/bar` are `E3`, and `E4`. 289 # 290 # Example 2 (inherited values): 291 # `organizations/foo` has a `Policy` with values: 292 # {allowed_values: E1 allowed_values:E2} 293 # `projects/bar` has a `Policy` with values: 294 # {value: E3 value: E4 inherit_from_parent: true} 295 # The accepted values at `organizations/foo` are `E1`, `E2`. 296 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 297 # 298 # Example 3 (inheriting both allowed and denied values): 299 # `organizations/foo` has a `Policy` with values: 300 # {allowed_values: "E1" allowed_values: "E2"} 301 # `projects/bar` has a `Policy` with: 302 # {denied_values: "E1"} 303 # The accepted values at `organizations/foo` are `E1`, `E2`. 304 # The value accepted at `projects/bar` is `E2`. 305 # 306 # Example 4 (RestoreDefault): 307 # `organizations/foo` has a `Policy` with values: 308 # {allowed_values: E1 allowed_values:E2} 309 # `projects/bar` has a `Policy` with values: 310 # {RestoreDefault: {}} 311 # The accepted values at `organizations/foo` are `E1`, `E2`. 312 # The accepted values at `projects/bar` are either all or none depending on 313 # the value of `constraint_default` (if `ALLOW`, all; if 314 # `DENY`, none). 315 # 316 # Example 5 (no policy inherits parent policy): 317 # `organizations/foo` has no `Policy` set. 318 # `projects/bar` has no `Policy` set. 319 # The accepted values at both levels are either all or none depending on 320 # the value of `constraint_default` (if `ALLOW`, all; if 321 # `DENY`, none). 322 # 323 # Example 6 (ListConstraint allowing all): 324 # `organizations/foo` has a `Policy` with values: 325 # {allowed_values: E1 allowed_values: E2} 326 # `projects/bar` has a `Policy` with: 327 # {all: ALLOW} 328 # The accepted values at `organizations/foo` are `E1`, E2`. 329 # Any value is accepted at `projects/bar`. 330 # 331 # Example 7 (ListConstraint allowing none): 332 # `organizations/foo` has a `Policy` with values: 333 # {allowed_values: E1 allowed_values: E2} 334 # `projects/bar` has a `Policy` with: 335 # {all: DENY} 336 # The accepted values at `organizations/foo` are `E1`, E2`. 337 # No value is accepted at `projects/bar`. 338 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 339 # that matches the value specified in this `Policy`. If `suggested_value` 340 # is not set, it will inherit the value specified higher in the hierarchy, 341 # unless `inherit_from_parent` is `false`. 342 "deniedValues": [ # List of values denied at this resource. Can only be set if no values are 343 # set for `allowed_values` and `all_values` is set to 344 # `ALL_VALUES_UNSPECIFIED`. 345 "A String", 346 ], 347 }, 348 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 349 # resource. 350 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 351 # configuration is acceptable. 352 # 353 # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` 354 # with `constraint_default` set to `ALLOW`. A `Policy` for that 355 # `Constraint` exhibits the following behavior: 356 # - If the `Policy` at this resource has enforced set to `false`, serial 357 # port connection attempts will be allowed. 358 # - If the `Policy` at this resource has enforced set to `true`, serial 359 # port connection attempts will be refused. 360 # - If the `Policy` at this resource is `RestoreDefault`, serial port 361 # connection attempts will be allowed. 362 # - If no `Policy` is set at this resource or anywhere higher in the 363 # resource hierarchy, serial port connection attempts will be allowed. 364 # - If no `Policy` is set at this resource, but one exists higher in the 365 # resource hierarchy, the behavior is as if the`Policy` were set at 366 # this resource. 367 # 368 # The following examples demonstrate the different possible layerings: 369 # 370 # Example 1 (nearest `Constraint` wins): 371 # `organizations/foo` has a `Policy` with: 372 # {enforced: false} 373 # `projects/bar` has no `Policy` set. 374 # The constraint at `projects/bar` and `organizations/foo` will not be 375 # enforced. 376 # 377 # Example 2 (enforcement gets replaced): 378 # `organizations/foo` has a `Policy` with: 379 # {enforced: false} 380 # `projects/bar` has a `Policy` with: 381 # {enforced: true} 382 # The constraint at `organizations/foo` is not enforced. 383 # The constraint at `projects/bar` is enforced. 384 # 385 # Example 3 (RestoreDefault): 386 # `organizations/foo` has a `Policy` with: 387 # {enforced: true} 388 # `projects/bar` has a `Policy` with: 389 # {RestoreDefault: {}} 390 # The constraint at `organizations/foo` is enforced. 391 # The constraint at `projects/bar` is not enforced, because 392 # `constraint_default` for the `Constraint` is `ALLOW`. 393 }, 394 "version": 42, # Version of the `Policy`. Default version is 0; 395 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 396 # concurrency control. 397 # 398 # When the `Policy` is returned from either a `GetPolicy` or a 399 # `ListOrgPolicy` request, this `etag` indicates the version of the current 400 # `Policy` to use when executing a read-modify-write loop. 401 # 402 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 403 # `etag` will be unset. 404 # 405 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 406 # that was returned from a `GetOrgPolicy` request as part of a 407 # read-modify-write loop for concurrency control. Not setting the `etag`in a 408 # `SetOrgPolicy` request will result in an unconditional write of the 409 # `Policy`. 410 }</pre> 411 </div> 412 413 <div class="method"> 414 <code class="details" id="getIamPolicy">getIamPolicy(resource, body, x__xgafv=None)</code> 415 <pre>Gets the access control policy for an Organization resource. May be empty 416 if no such policy or resource exists. The `resource` field should be the 417 organization's resource name, e.g. "organizations/123". 418 419 Args: 420 resource: string, REQUIRED: The resource for which the policy is being requested. 421 See the operation documentation for the appropriate value for this field. (required) 422 body: object, The request body. (required) 423 The object takes the form of: 424 425 { # Request message for `GetIamPolicy` method. 426 } 427 428 x__xgafv: string, V1 error format. 429 Allowed values 430 1 - v1 error format 431 2 - v2 error format 432 433 Returns: 434 An object of the form: 435 436 { # Defines an Identity and Access Management (IAM) policy. It is used to 437 # specify access control policies for Cloud Platform resources. 438 # 439 # 440 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 441 # `members` to a `role`, where the members can be user accounts, Google groups, 442 # Google domains, and service accounts. A `role` is a named list of permissions 443 # defined by IAM. 444 # 445 # **Example** 446 # 447 # { 448 # "bindings": [ 449 # { 450 # "role": "roles/owner", 451 # "members": [ 452 # "user:mike (a] example.com", 453 # "group:admins (a] example.com", 454 # "domain:google.com", 455 # "serviceAccount:my-other-app (a] appspot.gserviceaccount.com", 456 # ] 457 # }, 458 # { 459 # "role": "roles/viewer", 460 # "members": ["user:sean (a] example.com"] 461 # } 462 # ] 463 # } 464 # 465 # For a description of IAM and its features, see the 466 # [IAM developer's guide](https://cloud.google.com/iam). 467 "bindings": [ # Associates a list of `members` to a `role`. 468 # Multiple `bindings` must not be specified for the same `role`. 469 # `bindings` with no members will result in an error. 470 { # Associates `members` with a `role`. 471 "role": "A String", # Role that is assigned to `members`. 472 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 473 # Required 474 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 475 # `members` can have the following values: 476 # 477 # * `allUsers`: A special identifier that represents anyone who is 478 # on the internet; with or without a Google account. 479 # 480 # * `allAuthenticatedUsers`: A special identifier that represents anyone 481 # who is authenticated with a Google account or a service account. 482 # 483 # * `user:{emailid}`: An email address that represents a specific Google 484 # account. For example, `alice (a] gmail.com` or `joe (a] example.com`. 485 # 486 # 487 # * `serviceAccount:{emailid}`: An email address that represents a service 488 # account. For example, `my-other-app (a] appspot.gserviceaccount.com`. 489 # 490 # * `group:{emailid}`: An email address that represents a Google group. 491 # For example, `admins (a] example.com`. 492 # 493 # 494 # * `domain:{domain}`: A Google Apps domain name that represents all the 495 # users of that domain. For example, `google.com` or `example.com`. 496 # 497 "A String", 498 ], 499 }, 500 ], 501 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 502 { # Specifies the audit configuration for a service. 503 # The configuration determines which permission types are logged, and what 504 # identities, if any, are exempted from logging. 505 # An AuditConfig must have one or more AuditLogConfigs. 506 # 507 # If there are AuditConfigs for both `allServices` and a specific service, 508 # the union of the two AuditConfigs is used for that service: the log_types 509 # specified in each AuditConfig are enabled, and the exempted_members in each 510 # AuditConfig are exempted. 511 # 512 # Example Policy with multiple AuditConfigs: 513 # 514 # { 515 # "audit_configs": [ 516 # { 517 # "service": "allServices" 518 # "audit_log_configs": [ 519 # { 520 # "log_type": "DATA_READ", 521 # "exempted_members": [ 522 # "user:foo (a] gmail.com" 523 # ] 524 # }, 525 # { 526 # "log_type": "DATA_WRITE", 527 # }, 528 # { 529 # "log_type": "ADMIN_READ", 530 # } 531 # ] 532 # }, 533 # { 534 # "service": "fooservice.googleapis.com" 535 # "audit_log_configs": [ 536 # { 537 # "log_type": "DATA_READ", 538 # }, 539 # { 540 # "log_type": "DATA_WRITE", 541 # "exempted_members": [ 542 # "user:bar (a] gmail.com" 543 # ] 544 # } 545 # ] 546 # } 547 # ] 548 # } 549 # 550 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 551 # logging. It also exempts foo (a] gmail.com from DATA_READ logging, and 552 # bar (a] gmail.com from DATA_WRITE logging. 553 "auditLogConfigs": [ # The configuration for logging of each type of permission. 554 # Next ID: 4 555 { # Provides the configuration for logging a type of permissions. 556 # Example: 557 # 558 # { 559 # "audit_log_configs": [ 560 # { 561 # "log_type": "DATA_READ", 562 # "exempted_members": [ 563 # "user:foo (a] gmail.com" 564 # ] 565 # }, 566 # { 567 # "log_type": "DATA_WRITE", 568 # } 569 # ] 570 # } 571 # 572 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 573 # foo (a] gmail.com from DATA_READ logging. 574 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 575 # permission. 576 # Follows the same format of Binding.members. 577 "A String", 578 ], 579 "logType": "A String", # The log type that this config enables. 580 }, 581 ], 582 "service": "A String", # Specifies a service that will be enabled for audit logging. 583 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 584 # `allServices` is a special value that covers all services. 585 }, 586 ], 587 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 588 # prevent simultaneous updates of a policy from overwriting each other. 589 # It is strongly suggested that systems make use of the `etag` in the 590 # read-modify-write cycle to perform policy updates in order to avoid race 591 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 592 # systems are expected to put that etag in the request to `setIamPolicy` to 593 # ensure that their change will be applied to the same version of the policy. 594 # 595 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 596 # policy is overwritten blindly. 597 "version": 42, # Version of the `Policy`. The default version is 0. 598 }</pre> 599 </div> 600 601 <div class="method"> 602 <code class="details" id="getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</code> 603 <pre>Gets a `Policy` on a resource. 604 605 If no `Policy` is set on the resource, a `Policy` is returned with default 606 values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The 607 `etag` value can be used with `SetOrgPolicy()` to create or update a 608 `Policy` during read-modify-write. 609 610 Args: 611 resource: string, Name of the resource the `Policy` is set on. (required) 612 body: object, The request body. (required) 613 The object takes the form of: 614 615 { # The request sent to the GetOrgPolicy method. 616 "constraint": "A String", # Name of the `Constraint` to get the `Policy`. 617 } 618 619 x__xgafv: string, V1 error format. 620 Allowed values 621 1 - v1 error format 622 2 - v2 error format 623 624 Returns: 625 An object of the form: 626 627 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 628 # for configurations of Cloud Platform resources. 629 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 630 # server, not specified by the caller, and represents the last time a call to 631 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 632 # be ignored. 633 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 634 # `constraints/serviceuser.services`. 635 # 636 # Immutable after creation. 637 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 638 # `Constraint` type. 639 # `constraint_default` enforcement behavior of the specific `Constraint` at 640 # this resource. 641 # 642 # Suppose that `constraint_default` is set to `ALLOW` for the 643 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 644 # foo.com sets a `Policy` at their Organization resource node that restricts 645 # the allowed service activations to deny all service activations. They 646 # could then set a `Policy` with the `policy_type` `restore_default` on 647 # several experimental projects, restoring the `constraint_default` 648 # enforcement of the `Constraint` for only those projects, allowing those 649 # projects to have all services activated. 650 }, 651 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 652 # resource. 653 # 654 # A `ListPolicy` can define specific values that are allowed or denied by 655 # setting either the `allowed_values` or `denied_values` fields. It can also 656 # be used to allow or deny all values, by setting the `all_values` field. If 657 # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` 658 # or `denied_values` must be set (attempting to set both or neither will 659 # result in a failed request). If `all_values` is set to either `ALLOW` or 660 # `DENY`, `allowed_values` and `denied_values` must be unset. 661 "allValues": "A String", # The policy all_values state. 662 "allowedValues": [ # List of values allowed at this resource. an only be set if no values are 663 # set for `denied_values` and `all_values` is set to 664 # `ALL_VALUES_UNSPECIFIED`. 665 "A String", 666 ], 667 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 668 # 669 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 670 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 671 # set to `true`, then the values from the effective `Policy` of the parent 672 # resource are inherited, meaning the values set in this `Policy` are 673 # added to the values inherited up the hierarchy. 674 # 675 # Setting `Policy` hierarchies that inherit both allowed values and denied 676 # values isn't recommended in most circumstances to keep the configuration 677 # simple and understandable. However, it is possible to set a `Policy` with 678 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 679 # In this case, the values that are allowed must be in `allowed_values` and 680 # not present in `denied_values`. 681 # 682 # For example, suppose you have a `Constraint` 683 # `constraints/serviceuser.services`, which has a `constraint_type` of 684 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 685 # Suppose that at the Organization level, a `Policy` is applied that 686 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 687 # `Policy` is applied to a project below the Organization that has 688 # `inherit_from_parent` set to `false` and field all_values set to DENY, 689 # then an attempt to activate any API will be denied. 690 # 691 # The following examples demonstrate different possible layerings: 692 # 693 # Example 1 (no inherited values): 694 # `organizations/foo` has a `Policy` with values: 695 # {allowed_values: E1 allowed_values:E2} 696 # ``projects/bar`` has `inherit_from_parent` `false` and values: 697 # {allowed_values: "E3" allowed_values: "E4"} 698 # The accepted values at `organizations/foo` are `E1`, `E2`. 699 # The accepted values at `projects/bar` are `E3`, and `E4`. 700 # 701 # Example 2 (inherited values): 702 # `organizations/foo` has a `Policy` with values: 703 # {allowed_values: E1 allowed_values:E2} 704 # `projects/bar` has a `Policy` with values: 705 # {value: E3 value: E4 inherit_from_parent: true} 706 # The accepted values at `organizations/foo` are `E1`, `E2`. 707 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 708 # 709 # Example 3 (inheriting both allowed and denied values): 710 # `organizations/foo` has a `Policy` with values: 711 # {allowed_values: "E1" allowed_values: "E2"} 712 # `projects/bar` has a `Policy` with: 713 # {denied_values: "E1"} 714 # The accepted values at `organizations/foo` are `E1`, `E2`. 715 # The value accepted at `projects/bar` is `E2`. 716 # 717 # Example 4 (RestoreDefault): 718 # `organizations/foo` has a `Policy` with values: 719 # {allowed_values: E1 allowed_values:E2} 720 # `projects/bar` has a `Policy` with values: 721 # {RestoreDefault: {}} 722 # The accepted values at `organizations/foo` are `E1`, `E2`. 723 # The accepted values at `projects/bar` are either all or none depending on 724 # the value of `constraint_default` (if `ALLOW`, all; if 725 # `DENY`, none). 726 # 727 # Example 5 (no policy inherits parent policy): 728 # `organizations/foo` has no `Policy` set. 729 # `projects/bar` has no `Policy` set. 730 # The accepted values at both levels are either all or none depending on 731 # the value of `constraint_default` (if `ALLOW`, all; if 732 # `DENY`, none). 733 # 734 # Example 6 (ListConstraint allowing all): 735 # `organizations/foo` has a `Policy` with values: 736 # {allowed_values: E1 allowed_values: E2} 737 # `projects/bar` has a `Policy` with: 738 # {all: ALLOW} 739 # The accepted values at `organizations/foo` are `E1`, E2`. 740 # Any value is accepted at `projects/bar`. 741 # 742 # Example 7 (ListConstraint allowing none): 743 # `organizations/foo` has a `Policy` with values: 744 # {allowed_values: E1 allowed_values: E2} 745 # `projects/bar` has a `Policy` with: 746 # {all: DENY} 747 # The accepted values at `organizations/foo` are `E1`, E2`. 748 # No value is accepted at `projects/bar`. 749 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 750 # that matches the value specified in this `Policy`. If `suggested_value` 751 # is not set, it will inherit the value specified higher in the hierarchy, 752 # unless `inherit_from_parent` is `false`. 753 "deniedValues": [ # List of values denied at this resource. Can only be set if no values are 754 # set for `allowed_values` and `all_values` is set to 755 # `ALL_VALUES_UNSPECIFIED`. 756 "A String", 757 ], 758 }, 759 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 760 # resource. 761 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 762 # configuration is acceptable. 763 # 764 # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` 765 # with `constraint_default` set to `ALLOW`. A `Policy` for that 766 # `Constraint` exhibits the following behavior: 767 # - If the `Policy` at this resource has enforced set to `false`, serial 768 # port connection attempts will be allowed. 769 # - If the `Policy` at this resource has enforced set to `true`, serial 770 # port connection attempts will be refused. 771 # - If the `Policy` at this resource is `RestoreDefault`, serial port 772 # connection attempts will be allowed. 773 # - If no `Policy` is set at this resource or anywhere higher in the 774 # resource hierarchy, serial port connection attempts will be allowed. 775 # - If no `Policy` is set at this resource, but one exists higher in the 776 # resource hierarchy, the behavior is as if the`Policy` were set at 777 # this resource. 778 # 779 # The following examples demonstrate the different possible layerings: 780 # 781 # Example 1 (nearest `Constraint` wins): 782 # `organizations/foo` has a `Policy` with: 783 # {enforced: false} 784 # `projects/bar` has no `Policy` set. 785 # The constraint at `projects/bar` and `organizations/foo` will not be 786 # enforced. 787 # 788 # Example 2 (enforcement gets replaced): 789 # `organizations/foo` has a `Policy` with: 790 # {enforced: false} 791 # `projects/bar` has a `Policy` with: 792 # {enforced: true} 793 # The constraint at `organizations/foo` is not enforced. 794 # The constraint at `projects/bar` is enforced. 795 # 796 # Example 3 (RestoreDefault): 797 # `organizations/foo` has a `Policy` with: 798 # {enforced: true} 799 # `projects/bar` has a `Policy` with: 800 # {RestoreDefault: {}} 801 # The constraint at `organizations/foo` is enforced. 802 # The constraint at `projects/bar` is not enforced, because 803 # `constraint_default` for the `Constraint` is `ALLOW`. 804 }, 805 "version": 42, # Version of the `Policy`. Default version is 0; 806 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 807 # concurrency control. 808 # 809 # When the `Policy` is returned from either a `GetPolicy` or a 810 # `ListOrgPolicy` request, this `etag` indicates the version of the current 811 # `Policy` to use when executing a read-modify-write loop. 812 # 813 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 814 # `etag` will be unset. 815 # 816 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 817 # that was returned from a `GetOrgPolicy` request as part of a 818 # read-modify-write loop for concurrency control. Not setting the `etag`in a 819 # `SetOrgPolicy` request will result in an unconditional write of the 820 # `Policy`. 821 }</pre> 822 </div> 823 824 <div class="method"> 825 <code class="details" id="listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</code> 826 <pre>Lists `Constraints` that could be applied on the specified resource. 827 828 Args: 829 resource: string, Name of the resource to list `Constraints` for. (required) 830 body: object, The request body. (required) 831 The object takes the form of: 832 833 { # The request sent to the [ListAvailableOrgPolicyConstraints] 834 # google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method. 835 "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported 836 # and will be ignored. The server may at any point start using this field. 837 "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will 838 # be ignored. The server may at any point start using this field to limit 839 # page size. 840 } 841 842 x__xgafv: string, V1 error format. 843 Allowed values 844 1 - v1 error format 845 2 - v2 error format 846 847 Returns: 848 An object of the form: 849 850 { # The response returned from the ListAvailableOrgPolicyConstraints method. 851 # Returns all `Constraints` that could be set at this level of the hierarchy 852 # (contrast with the response from `ListPolicies`, which returns all policies 853 # which are set). 854 "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used. 855 "constraints": [ # The collection of constraints that are settable on the request resource. 856 { # A `Constraint` describes a way in which a resource's configuration can be 857 # restricted. For example, it controls which cloud services can be activated 858 # across an organization, or whether a Compute Engine instance can have 859 # serial port connections established. `Constraints` can be configured by the 860 # organization's policy adminstrator to fit the needs of the organzation by 861 # setting Policies for `Constraints` at different locations in the 862 # organization's resource hierarchy. Policies are inherited down the resource 863 # hierarchy from higher levels, but can also be overridden. For details about 864 # the inheritance rules please read about 865 # Policies. 866 # 867 # `Constraints` have a default behavior determined by the `constraint_default` 868 # field, which is the enforcement behavior that is used in the absence of a 869 # `Policy` being defined or inherited for the resource in question. 870 "constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'. 871 "displayName": "A String", # The human readable name. 872 # 873 # Mutable. 874 "description": "A String", # Detailed description of what this `Constraint` controls as well as how and 875 # where it is enforced. 876 # 877 # Mutable. 878 "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint. 879 # 880 # For example a constraint `constraints/compute.disableSerialPortAccess`. 881 # If it is enforced on a VM instance, serial port connections will not be 882 # opened to that instance. 883 }, 884 "version": 42, # Version of the `Constraint`. Default version is 0; 885 "listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint. 886 # configured by an Organization's policy administrator with a `Policy`. 887 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 888 # that matches the value specified in this `Constraint`. 889 }, 890 "name": "A String", # Immutable value, required to globally be unique. For example, 891 # `constraints/serviceuser.services` 892 }, 893 ], 894 }</pre> 895 </div> 896 897 <div class="method"> 898 <code class="details" id="listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</code> 899 <pre>Retrieves the next page of results. 900 901 Args: 902 previous_request: The request for the previous page. (required) 903 previous_response: The response from the request for the previous page. (required) 904 905 Returns: 906 A request object that you can call 'execute()' on to request the next 907 page. Returns None if there are no more items in the collection. 908 </pre> 909 </div> 910 911 <div class="method"> 912 <code class="details" id="listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</code> 913 <pre>Lists all the `Policies` set for a particular resource. 914 915 Args: 916 resource: string, Name of the resource to list Policies for. (required) 917 body: object, The request body. (required) 918 The object takes the form of: 919 920 { # The request sent to the ListOrgPolicies method. 921 "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported 922 # and will be ignored. The server may at any point start using this field. 923 "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will 924 # be ignored. The server may at any point start using this field to limit 925 # page size. 926 } 927 928 x__xgafv: string, V1 error format. 929 Allowed values 930 1 - v1 error format 931 2 - v2 error format 932 933 Returns: 934 An object of the form: 935 936 { # The response returned from the ListOrgPolicies method. It will be empty 937 # if no `Policies` are set on the resource. 938 "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but 939 # the server may at any point start supplying a valid token. 940 "policies": [ # The `Policies` that are set on the resource. It will be empty if no 941 # `Policies` are set. 942 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 943 # for configurations of Cloud Platform resources. 944 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 945 # server, not specified by the caller, and represents the last time a call to 946 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 947 # be ignored. 948 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 949 # `constraints/serviceuser.services`. 950 # 951 # Immutable after creation. 952 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 953 # `Constraint` type. 954 # `constraint_default` enforcement behavior of the specific `Constraint` at 955 # this resource. 956 # 957 # Suppose that `constraint_default` is set to `ALLOW` for the 958 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 959 # foo.com sets a `Policy` at their Organization resource node that restricts 960 # the allowed service activations to deny all service activations. They 961 # could then set a `Policy` with the `policy_type` `restore_default` on 962 # several experimental projects, restoring the `constraint_default` 963 # enforcement of the `Constraint` for only those projects, allowing those 964 # projects to have all services activated. 965 }, 966 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 967 # resource. 968 # 969 # A `ListPolicy` can define specific values that are allowed or denied by 970 # setting either the `allowed_values` or `denied_values` fields. It can also 971 # be used to allow or deny all values, by setting the `all_values` field. If 972 # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` 973 # or `denied_values` must be set (attempting to set both or neither will 974 # result in a failed request). If `all_values` is set to either `ALLOW` or 975 # `DENY`, `allowed_values` and `denied_values` must be unset. 976 "allValues": "A String", # The policy all_values state. 977 "allowedValues": [ # List of values allowed at this resource. an only be set if no values are 978 # set for `denied_values` and `all_values` is set to 979 # `ALL_VALUES_UNSPECIFIED`. 980 "A String", 981 ], 982 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 983 # 984 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 985 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 986 # set to `true`, then the values from the effective `Policy` of the parent 987 # resource are inherited, meaning the values set in this `Policy` are 988 # added to the values inherited up the hierarchy. 989 # 990 # Setting `Policy` hierarchies that inherit both allowed values and denied 991 # values isn't recommended in most circumstances to keep the configuration 992 # simple and understandable. However, it is possible to set a `Policy` with 993 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 994 # In this case, the values that are allowed must be in `allowed_values` and 995 # not present in `denied_values`. 996 # 997 # For example, suppose you have a `Constraint` 998 # `constraints/serviceuser.services`, which has a `constraint_type` of 999 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 1000 # Suppose that at the Organization level, a `Policy` is applied that 1001 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 1002 # `Policy` is applied to a project below the Organization that has 1003 # `inherit_from_parent` set to `false` and field all_values set to DENY, 1004 # then an attempt to activate any API will be denied. 1005 # 1006 # The following examples demonstrate different possible layerings: 1007 # 1008 # Example 1 (no inherited values): 1009 # `organizations/foo` has a `Policy` with values: 1010 # {allowed_values: E1 allowed_values:E2} 1011 # ``projects/bar`` has `inherit_from_parent` `false` and values: 1012 # {allowed_values: "E3" allowed_values: "E4"} 1013 # The accepted values at `organizations/foo` are `E1`, `E2`. 1014 # The accepted values at `projects/bar` are `E3`, and `E4`. 1015 # 1016 # Example 2 (inherited values): 1017 # `organizations/foo` has a `Policy` with values: 1018 # {allowed_values: E1 allowed_values:E2} 1019 # `projects/bar` has a `Policy` with values: 1020 # {value: E3 value: E4 inherit_from_parent: true} 1021 # The accepted values at `organizations/foo` are `E1`, `E2`. 1022 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 1023 # 1024 # Example 3 (inheriting both allowed and denied values): 1025 # `organizations/foo` has a `Policy` with values: 1026 # {allowed_values: "E1" allowed_values: "E2"} 1027 # `projects/bar` has a `Policy` with: 1028 # {denied_values: "E1"} 1029 # The accepted values at `organizations/foo` are `E1`, `E2`. 1030 # The value accepted at `projects/bar` is `E2`. 1031 # 1032 # Example 4 (RestoreDefault): 1033 # `organizations/foo` has a `Policy` with values: 1034 # {allowed_values: E1 allowed_values:E2} 1035 # `projects/bar` has a `Policy` with values: 1036 # {RestoreDefault: {}} 1037 # The accepted values at `organizations/foo` are `E1`, `E2`. 1038 # The accepted values at `projects/bar` are either all or none depending on 1039 # the value of `constraint_default` (if `ALLOW`, all; if 1040 # `DENY`, none). 1041 # 1042 # Example 5 (no policy inherits parent policy): 1043 # `organizations/foo` has no `Policy` set. 1044 # `projects/bar` has no `Policy` set. 1045 # The accepted values at both levels are either all or none depending on 1046 # the value of `constraint_default` (if `ALLOW`, all; if 1047 # `DENY`, none). 1048 # 1049 # Example 6 (ListConstraint allowing all): 1050 # `organizations/foo` has a `Policy` with values: 1051 # {allowed_values: E1 allowed_values: E2} 1052 # `projects/bar` has a `Policy` with: 1053 # {all: ALLOW} 1054 # The accepted values at `organizations/foo` are `E1`, E2`. 1055 # Any value is accepted at `projects/bar`. 1056 # 1057 # Example 7 (ListConstraint allowing none): 1058 # `organizations/foo` has a `Policy` with values: 1059 # {allowed_values: E1 allowed_values: E2} 1060 # `projects/bar` has a `Policy` with: 1061 # {all: DENY} 1062 # The accepted values at `organizations/foo` are `E1`, E2`. 1063 # No value is accepted at `projects/bar`. 1064 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 1065 # that matches the value specified in this `Policy`. If `suggested_value` 1066 # is not set, it will inherit the value specified higher in the hierarchy, 1067 # unless `inherit_from_parent` is `false`. 1068 "deniedValues": [ # List of values denied at this resource. Can only be set if no values are 1069 # set for `allowed_values` and `all_values` is set to 1070 # `ALL_VALUES_UNSPECIFIED`. 1071 "A String", 1072 ], 1073 }, 1074 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 1075 # resource. 1076 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 1077 # configuration is acceptable. 1078 # 1079 # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` 1080 # with `constraint_default` set to `ALLOW`. A `Policy` for that 1081 # `Constraint` exhibits the following behavior: 1082 # - If the `Policy` at this resource has enforced set to `false`, serial 1083 # port connection attempts will be allowed. 1084 # - If the `Policy` at this resource has enforced set to `true`, serial 1085 # port connection attempts will be refused. 1086 # - If the `Policy` at this resource is `RestoreDefault`, serial port 1087 # connection attempts will be allowed. 1088 # - If no `Policy` is set at this resource or anywhere higher in the 1089 # resource hierarchy, serial port connection attempts will be allowed. 1090 # - If no `Policy` is set at this resource, but one exists higher in the 1091 # resource hierarchy, the behavior is as if the`Policy` were set at 1092 # this resource. 1093 # 1094 # The following examples demonstrate the different possible layerings: 1095 # 1096 # Example 1 (nearest `Constraint` wins): 1097 # `organizations/foo` has a `Policy` with: 1098 # {enforced: false} 1099 # `projects/bar` has no `Policy` set. 1100 # The constraint at `projects/bar` and `organizations/foo` will not be 1101 # enforced. 1102 # 1103 # Example 2 (enforcement gets replaced): 1104 # `organizations/foo` has a `Policy` with: 1105 # {enforced: false} 1106 # `projects/bar` has a `Policy` with: 1107 # {enforced: true} 1108 # The constraint at `organizations/foo` is not enforced. 1109 # The constraint at `projects/bar` is enforced. 1110 # 1111 # Example 3 (RestoreDefault): 1112 # `organizations/foo` has a `Policy` with: 1113 # {enforced: true} 1114 # `projects/bar` has a `Policy` with: 1115 # {RestoreDefault: {}} 1116 # The constraint at `organizations/foo` is enforced. 1117 # The constraint at `projects/bar` is not enforced, because 1118 # `constraint_default` for the `Constraint` is `ALLOW`. 1119 }, 1120 "version": 42, # Version of the `Policy`. Default version is 0; 1121 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 1122 # concurrency control. 1123 # 1124 # When the `Policy` is returned from either a `GetPolicy` or a 1125 # `ListOrgPolicy` request, this `etag` indicates the version of the current 1126 # `Policy` to use when executing a read-modify-write loop. 1127 # 1128 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 1129 # `etag` will be unset. 1130 # 1131 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 1132 # that was returned from a `GetOrgPolicy` request as part of a 1133 # read-modify-write loop for concurrency control. Not setting the `etag`in a 1134 # `SetOrgPolicy` request will result in an unconditional write of the 1135 # `Policy`. 1136 }, 1137 ], 1138 }</pre> 1139 </div> 1140 1141 <div class="method"> 1142 <code class="details" id="listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</code> 1143 <pre>Retrieves the next page of results. 1144 1145 Args: 1146 previous_request: The request for the previous page. (required) 1147 previous_response: The response from the request for the previous page. (required) 1148 1149 Returns: 1150 A request object that you can call 'execute()' on to request the next 1151 page. Returns None if there are no more items in the collection. 1152 </pre> 1153 </div> 1154 1155 <div class="method"> 1156 <code class="details" id="search">search(body, x__xgafv=None)</code> 1157 <pre>Searches Organization resources that are visible to the user and satisfy 1158 the specified filter. This method returns Organizations in an unspecified 1159 order. New Organizations do not necessarily appear at the end of the 1160 results. 1161 1162 Args: 1163 body: object, The request body. (required) 1164 The object takes the form of: 1165 1166 { # The request sent to the `SearchOrganizations` method. 1167 "filter": "A String", # An optional query string used to filter the Organizations to return in 1168 # the response. Filter rules are case-insensitive. 1169 # 1170 # 1171 # Organizations may be filtered by `owner.directoryCustomerId` or by 1172 # `domain`, where the domain is a Google for Work domain, for example: 1173 # 1174 # |Filter|Description| 1175 # |------|-----------| 1176 # |owner.directorycustomerid:123456789|Organizations with 1177 # `owner.directory_customer_id` equal to `123456789`.| 1178 # |domain:google.com|Organizations corresponding to the domain `google.com`.| 1179 # 1180 # This field is optional. 1181 "pageToken": "A String", # A pagination token returned from a previous call to `SearchOrganizations` 1182 # that indicates from where listing should continue. 1183 # This field is optional. 1184 "pageSize": 42, # The maximum number of Organizations to return in the response. 1185 # This field is optional. 1186 } 1187 1188 x__xgafv: string, V1 error format. 1189 Allowed values 1190 1 - v1 error format 1191 2 - v2 error format 1192 1193 Returns: 1194 An object of the form: 1195 1196 { # The response returned from the `SearchOrganizations` method. 1197 "nextPageToken": "A String", # A pagination token to be used to retrieve the next page of results. If the 1198 # result is too large to fit within the page size specified in the request, 1199 # this field will be set with a token that can be used to fetch the next page 1200 # of results. If this field is empty, it indicates that this response 1201 # contains the last page of results. 1202 "organizations": [ # The list of Organizations that matched the search query, possibly 1203 # paginated. 1204 { # The root node in the resource hierarchy to which a particular entity's 1205 # (e.g., company) resources belong. 1206 "owner": { # The entity that owns an Organization. The lifetime of the Organization and # The owner of this Organization. The owner should be specified on 1207 # creation. Once set, it cannot be changed. 1208 # This field is required. 1209 # all of its descendants are bound to the `OrganizationOwner`. If the 1210 # `OrganizationOwner` is deleted, the Organization and all its descendants will 1211 # be deleted. 1212 "directoryCustomerId": "A String", # The Google for Work customer id used in the Directory API. 1213 }, 1214 "creationTime": "A String", # Timestamp when the Organization was created. Assigned by the server. 1215 # @OutputOnly 1216 "displayName": "A String", # A friendly string to be used to refer to the Organization in the UI. 1217 # Assigned by the server, set to the primary domain of the G Suite 1218 # customer that owns the organization. 1219 # @OutputOnly 1220 "name": "A String", # Output Only. The resource name of the organization. This is the 1221 # organization's relative path in the API. Its format is 1222 # "organizations/[organization_id]". For example, "organizations/1234". 1223 "lifecycleState": "A String", # The organization's current lifecycle state. Assigned by the server. 1224 # @OutputOnly 1225 }, 1226 ], 1227 }</pre> 1228 </div> 1229 1230 <div class="method"> 1231 <code class="details" id="search_next">search_next(previous_request, previous_response)</code> 1232 <pre>Retrieves the next page of results. 1233 1234 Args: 1235 previous_request: The request for the previous page. (required) 1236 previous_response: The response from the request for the previous page. (required) 1237 1238 Returns: 1239 A request object that you can call 'execute()' on to request the next 1240 page. Returns None if there are no more items in the collection. 1241 </pre> 1242 </div> 1243 1244 <div class="method"> 1245 <code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code> 1246 <pre>Sets the access control policy on an Organization resource. Replaces any 1247 existing policy. The `resource` field should be the organization's resource 1248 name, e.g. "organizations/123". 1249 1250 Args: 1251 resource: string, REQUIRED: The resource for which the policy is being specified. 1252 See the operation documentation for the appropriate value for this field. (required) 1253 body: object, The request body. (required) 1254 The object takes the form of: 1255 1256 { # Request message for `SetIamPolicy` method. 1257 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of 1258 # the policy is limited to a few 10s of KB. An empty policy is a 1259 # valid policy but certain Cloud Platform services (such as Projects) 1260 # might reject them. 1261 # specify access control policies for Cloud Platform resources. 1262 # 1263 # 1264 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 1265 # `members` to a `role`, where the members can be user accounts, Google groups, 1266 # Google domains, and service accounts. A `role` is a named list of permissions 1267 # defined by IAM. 1268 # 1269 # **Example** 1270 # 1271 # { 1272 # "bindings": [ 1273 # { 1274 # "role": "roles/owner", 1275 # "members": [ 1276 # "user:mike (a] example.com", 1277 # "group:admins (a] example.com", 1278 # "domain:google.com", 1279 # "serviceAccount:my-other-app (a] appspot.gserviceaccount.com", 1280 # ] 1281 # }, 1282 # { 1283 # "role": "roles/viewer", 1284 # "members": ["user:sean (a] example.com"] 1285 # } 1286 # ] 1287 # } 1288 # 1289 # For a description of IAM and its features, see the 1290 # [IAM developer's guide](https://cloud.google.com/iam). 1291 "bindings": [ # Associates a list of `members` to a `role`. 1292 # Multiple `bindings` must not be specified for the same `role`. 1293 # `bindings` with no members will result in an error. 1294 { # Associates `members` with a `role`. 1295 "role": "A String", # Role that is assigned to `members`. 1296 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 1297 # Required 1298 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 1299 # `members` can have the following values: 1300 # 1301 # * `allUsers`: A special identifier that represents anyone who is 1302 # on the internet; with or without a Google account. 1303 # 1304 # * `allAuthenticatedUsers`: A special identifier that represents anyone 1305 # who is authenticated with a Google account or a service account. 1306 # 1307 # * `user:{emailid}`: An email address that represents a specific Google 1308 # account. For example, `alice (a] gmail.com` or `joe (a] example.com`. 1309 # 1310 # 1311 # * `serviceAccount:{emailid}`: An email address that represents a service 1312 # account. For example, `my-other-app (a] appspot.gserviceaccount.com`. 1313 # 1314 # * `group:{emailid}`: An email address that represents a Google group. 1315 # For example, `admins (a] example.com`. 1316 # 1317 # 1318 # * `domain:{domain}`: A Google Apps domain name that represents all the 1319 # users of that domain. For example, `google.com` or `example.com`. 1320 # 1321 "A String", 1322 ], 1323 }, 1324 ], 1325 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 1326 { # Specifies the audit configuration for a service. 1327 # The configuration determines which permission types are logged, and what 1328 # identities, if any, are exempted from logging. 1329 # An AuditConfig must have one or more AuditLogConfigs. 1330 # 1331 # If there are AuditConfigs for both `allServices` and a specific service, 1332 # the union of the two AuditConfigs is used for that service: the log_types 1333 # specified in each AuditConfig are enabled, and the exempted_members in each 1334 # AuditConfig are exempted. 1335 # 1336 # Example Policy with multiple AuditConfigs: 1337 # 1338 # { 1339 # "audit_configs": [ 1340 # { 1341 # "service": "allServices" 1342 # "audit_log_configs": [ 1343 # { 1344 # "log_type": "DATA_READ", 1345 # "exempted_members": [ 1346 # "user:foo (a] gmail.com" 1347 # ] 1348 # }, 1349 # { 1350 # "log_type": "DATA_WRITE", 1351 # }, 1352 # { 1353 # "log_type": "ADMIN_READ", 1354 # } 1355 # ] 1356 # }, 1357 # { 1358 # "service": "fooservice.googleapis.com" 1359 # "audit_log_configs": [ 1360 # { 1361 # "log_type": "DATA_READ", 1362 # }, 1363 # { 1364 # "log_type": "DATA_WRITE", 1365 # "exempted_members": [ 1366 # "user:bar (a] gmail.com" 1367 # ] 1368 # } 1369 # ] 1370 # } 1371 # ] 1372 # } 1373 # 1374 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 1375 # logging. It also exempts foo (a] gmail.com from DATA_READ logging, and 1376 # bar (a] gmail.com from DATA_WRITE logging. 1377 "auditLogConfigs": [ # The configuration for logging of each type of permission. 1378 # Next ID: 4 1379 { # Provides the configuration for logging a type of permissions. 1380 # Example: 1381 # 1382 # { 1383 # "audit_log_configs": [ 1384 # { 1385 # "log_type": "DATA_READ", 1386 # "exempted_members": [ 1387 # "user:foo (a] gmail.com" 1388 # ] 1389 # }, 1390 # { 1391 # "log_type": "DATA_WRITE", 1392 # } 1393 # ] 1394 # } 1395 # 1396 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 1397 # foo (a] gmail.com from DATA_READ logging. 1398 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 1399 # permission. 1400 # Follows the same format of Binding.members. 1401 "A String", 1402 ], 1403 "logType": "A String", # The log type that this config enables. 1404 }, 1405 ], 1406 "service": "A String", # Specifies a service that will be enabled for audit logging. 1407 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 1408 # `allServices` is a special value that covers all services. 1409 }, 1410 ], 1411 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 1412 # prevent simultaneous updates of a policy from overwriting each other. 1413 # It is strongly suggested that systems make use of the `etag` in the 1414 # read-modify-write cycle to perform policy updates in order to avoid race 1415 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 1416 # systems are expected to put that etag in the request to `setIamPolicy` to 1417 # ensure that their change will be applied to the same version of the policy. 1418 # 1419 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 1420 # policy is overwritten blindly. 1421 "version": 42, # Version of the `Policy`. The default version is 0. 1422 }, 1423 "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only 1424 # the fields in the mask will be modified. If no mask is provided, the 1425 # following default mask is used: 1426 # paths: "bindings, etag" 1427 # This field is only used by Cloud IAM. 1428 } 1429 1430 x__xgafv: string, V1 error format. 1431 Allowed values 1432 1 - v1 error format 1433 2 - v2 error format 1434 1435 Returns: 1436 An object of the form: 1437 1438 { # Defines an Identity and Access Management (IAM) policy. It is used to 1439 # specify access control policies for Cloud Platform resources. 1440 # 1441 # 1442 # A `Policy` consists of a list of `bindings`. A `Binding` binds a list of 1443 # `members` to a `role`, where the members can be user accounts, Google groups, 1444 # Google domains, and service accounts. A `role` is a named list of permissions 1445 # defined by IAM. 1446 # 1447 # **Example** 1448 # 1449 # { 1450 # "bindings": [ 1451 # { 1452 # "role": "roles/owner", 1453 # "members": [ 1454 # "user:mike (a] example.com", 1455 # "group:admins (a] example.com", 1456 # "domain:google.com", 1457 # "serviceAccount:my-other-app (a] appspot.gserviceaccount.com", 1458 # ] 1459 # }, 1460 # { 1461 # "role": "roles/viewer", 1462 # "members": ["user:sean (a] example.com"] 1463 # } 1464 # ] 1465 # } 1466 # 1467 # For a description of IAM and its features, see the 1468 # [IAM developer's guide](https://cloud.google.com/iam). 1469 "bindings": [ # Associates a list of `members` to a `role`. 1470 # Multiple `bindings` must not be specified for the same `role`. 1471 # `bindings` with no members will result in an error. 1472 { # Associates `members` with a `role`. 1473 "role": "A String", # Role that is assigned to `members`. 1474 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 1475 # Required 1476 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 1477 # `members` can have the following values: 1478 # 1479 # * `allUsers`: A special identifier that represents anyone who is 1480 # on the internet; with or without a Google account. 1481 # 1482 # * `allAuthenticatedUsers`: A special identifier that represents anyone 1483 # who is authenticated with a Google account or a service account. 1484 # 1485 # * `user:{emailid}`: An email address that represents a specific Google 1486 # account. For example, `alice (a] gmail.com` or `joe (a] example.com`. 1487 # 1488 # 1489 # * `serviceAccount:{emailid}`: An email address that represents a service 1490 # account. For example, `my-other-app (a] appspot.gserviceaccount.com`. 1491 # 1492 # * `group:{emailid}`: An email address that represents a Google group. 1493 # For example, `admins (a] example.com`. 1494 # 1495 # 1496 # * `domain:{domain}`: A Google Apps domain name that represents all the 1497 # users of that domain. For example, `google.com` or `example.com`. 1498 # 1499 "A String", 1500 ], 1501 }, 1502 ], 1503 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 1504 { # Specifies the audit configuration for a service. 1505 # The configuration determines which permission types are logged, and what 1506 # identities, if any, are exempted from logging. 1507 # An AuditConfig must have one or more AuditLogConfigs. 1508 # 1509 # If there are AuditConfigs for both `allServices` and a specific service, 1510 # the union of the two AuditConfigs is used for that service: the log_types 1511 # specified in each AuditConfig are enabled, and the exempted_members in each 1512 # AuditConfig are exempted. 1513 # 1514 # Example Policy with multiple AuditConfigs: 1515 # 1516 # { 1517 # "audit_configs": [ 1518 # { 1519 # "service": "allServices" 1520 # "audit_log_configs": [ 1521 # { 1522 # "log_type": "DATA_READ", 1523 # "exempted_members": [ 1524 # "user:foo (a] gmail.com" 1525 # ] 1526 # }, 1527 # { 1528 # "log_type": "DATA_WRITE", 1529 # }, 1530 # { 1531 # "log_type": "ADMIN_READ", 1532 # } 1533 # ] 1534 # }, 1535 # { 1536 # "service": "fooservice.googleapis.com" 1537 # "audit_log_configs": [ 1538 # { 1539 # "log_type": "DATA_READ", 1540 # }, 1541 # { 1542 # "log_type": "DATA_WRITE", 1543 # "exempted_members": [ 1544 # "user:bar (a] gmail.com" 1545 # ] 1546 # } 1547 # ] 1548 # } 1549 # ] 1550 # } 1551 # 1552 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 1553 # logging. It also exempts foo (a] gmail.com from DATA_READ logging, and 1554 # bar (a] gmail.com from DATA_WRITE logging. 1555 "auditLogConfigs": [ # The configuration for logging of each type of permission. 1556 # Next ID: 4 1557 { # Provides the configuration for logging a type of permissions. 1558 # Example: 1559 # 1560 # { 1561 # "audit_log_configs": [ 1562 # { 1563 # "log_type": "DATA_READ", 1564 # "exempted_members": [ 1565 # "user:foo (a] gmail.com" 1566 # ] 1567 # }, 1568 # { 1569 # "log_type": "DATA_WRITE", 1570 # } 1571 # ] 1572 # } 1573 # 1574 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 1575 # foo (a] gmail.com from DATA_READ logging. 1576 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 1577 # permission. 1578 # Follows the same format of Binding.members. 1579 "A String", 1580 ], 1581 "logType": "A String", # The log type that this config enables. 1582 }, 1583 ], 1584 "service": "A String", # Specifies a service that will be enabled for audit logging. 1585 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 1586 # `allServices` is a special value that covers all services. 1587 }, 1588 ], 1589 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 1590 # prevent simultaneous updates of a policy from overwriting each other. 1591 # It is strongly suggested that systems make use of the `etag` in the 1592 # read-modify-write cycle to perform policy updates in order to avoid race 1593 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 1594 # systems are expected to put that etag in the request to `setIamPolicy` to 1595 # ensure that their change will be applied to the same version of the policy. 1596 # 1597 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 1598 # policy is overwritten blindly. 1599 "version": 42, # Version of the `Policy`. The default version is 0. 1600 }</pre> 1601 </div> 1602 1603 <div class="method"> 1604 <code class="details" id="setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</code> 1605 <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for 1606 that `Constraint` on the resource if one does not exist. 1607 1608 Not supplying an `etag` on the request `Policy` results in an unconditional 1609 write of the `Policy`. 1610 1611 Args: 1612 resource: string, Resource name of the resource to attach the `Policy`. (required) 1613 body: object, The request body. (required) 1614 The object takes the form of: 1615 1616 { # The request sent to the SetOrgPolicyRequest method. 1617 "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource. 1618 # for configurations of Cloud Platform resources. 1619 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 1620 # server, not specified by the caller, and represents the last time a call to 1621 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 1622 # be ignored. 1623 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 1624 # `constraints/serviceuser.services`. 1625 # 1626 # Immutable after creation. 1627 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 1628 # `Constraint` type. 1629 # `constraint_default` enforcement behavior of the specific `Constraint` at 1630 # this resource. 1631 # 1632 # Suppose that `constraint_default` is set to `ALLOW` for the 1633 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 1634 # foo.com sets a `Policy` at their Organization resource node that restricts 1635 # the allowed service activations to deny all service activations. They 1636 # could then set a `Policy` with the `policy_type` `restore_default` on 1637 # several experimental projects, restoring the `constraint_default` 1638 # enforcement of the `Constraint` for only those projects, allowing those 1639 # projects to have all services activated. 1640 }, 1641 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 1642 # resource. 1643 # 1644 # A `ListPolicy` can define specific values that are allowed or denied by 1645 # setting either the `allowed_values` or `denied_values` fields. It can also 1646 # be used to allow or deny all values, by setting the `all_values` field. If 1647 # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` 1648 # or `denied_values` must be set (attempting to set both or neither will 1649 # result in a failed request). If `all_values` is set to either `ALLOW` or 1650 # `DENY`, `allowed_values` and `denied_values` must be unset. 1651 "allValues": "A String", # The policy all_values state. 1652 "allowedValues": [ # List of values allowed at this resource. an only be set if no values are 1653 # set for `denied_values` and `all_values` is set to 1654 # `ALL_VALUES_UNSPECIFIED`. 1655 "A String", 1656 ], 1657 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 1658 # 1659 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 1660 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 1661 # set to `true`, then the values from the effective `Policy` of the parent 1662 # resource are inherited, meaning the values set in this `Policy` are 1663 # added to the values inherited up the hierarchy. 1664 # 1665 # Setting `Policy` hierarchies that inherit both allowed values and denied 1666 # values isn't recommended in most circumstances to keep the configuration 1667 # simple and understandable. However, it is possible to set a `Policy` with 1668 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 1669 # In this case, the values that are allowed must be in `allowed_values` and 1670 # not present in `denied_values`. 1671 # 1672 # For example, suppose you have a `Constraint` 1673 # `constraints/serviceuser.services`, which has a `constraint_type` of 1674 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 1675 # Suppose that at the Organization level, a `Policy` is applied that 1676 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 1677 # `Policy` is applied to a project below the Organization that has 1678 # `inherit_from_parent` set to `false` and field all_values set to DENY, 1679 # then an attempt to activate any API will be denied. 1680 # 1681 # The following examples demonstrate different possible layerings: 1682 # 1683 # Example 1 (no inherited values): 1684 # `organizations/foo` has a `Policy` with values: 1685 # {allowed_values: E1 allowed_values:E2} 1686 # ``projects/bar`` has `inherit_from_parent` `false` and values: 1687 # {allowed_values: "E3" allowed_values: "E4"} 1688 # The accepted values at `organizations/foo` are `E1`, `E2`. 1689 # The accepted values at `projects/bar` are `E3`, and `E4`. 1690 # 1691 # Example 2 (inherited values): 1692 # `organizations/foo` has a `Policy` with values: 1693 # {allowed_values: E1 allowed_values:E2} 1694 # `projects/bar` has a `Policy` with values: 1695 # {value: E3 value: E4 inherit_from_parent: true} 1696 # The accepted values at `organizations/foo` are `E1`, `E2`. 1697 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 1698 # 1699 # Example 3 (inheriting both allowed and denied values): 1700 # `organizations/foo` has a `Policy` with values: 1701 # {allowed_values: "E1" allowed_values: "E2"} 1702 # `projects/bar` has a `Policy` with: 1703 # {denied_values: "E1"} 1704 # The accepted values at `organizations/foo` are `E1`, `E2`. 1705 # The value accepted at `projects/bar` is `E2`. 1706 # 1707 # Example 4 (RestoreDefault): 1708 # `organizations/foo` has a `Policy` with values: 1709 # {allowed_values: E1 allowed_values:E2} 1710 # `projects/bar` has a `Policy` with values: 1711 # {RestoreDefault: {}} 1712 # The accepted values at `organizations/foo` are `E1`, `E2`. 1713 # The accepted values at `projects/bar` are either all or none depending on 1714 # the value of `constraint_default` (if `ALLOW`, all; if 1715 # `DENY`, none). 1716 # 1717 # Example 5 (no policy inherits parent policy): 1718 # `organizations/foo` has no `Policy` set. 1719 # `projects/bar` has no `Policy` set. 1720 # The accepted values at both levels are either all or none depending on 1721 # the value of `constraint_default` (if `ALLOW`, all; if 1722 # `DENY`, none). 1723 # 1724 # Example 6 (ListConstraint allowing all): 1725 # `organizations/foo` has a `Policy` with values: 1726 # {allowed_values: E1 allowed_values: E2} 1727 # `projects/bar` has a `Policy` with: 1728 # {all: ALLOW} 1729 # The accepted values at `organizations/foo` are `E1`, E2`. 1730 # Any value is accepted at `projects/bar`. 1731 # 1732 # Example 7 (ListConstraint allowing none): 1733 # `organizations/foo` has a `Policy` with values: 1734 # {allowed_values: E1 allowed_values: E2} 1735 # `projects/bar` has a `Policy` with: 1736 # {all: DENY} 1737 # The accepted values at `organizations/foo` are `E1`, E2`. 1738 # No value is accepted at `projects/bar`. 1739 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 1740 # that matches the value specified in this `Policy`. If `suggested_value` 1741 # is not set, it will inherit the value specified higher in the hierarchy, 1742 # unless `inherit_from_parent` is `false`. 1743 "deniedValues": [ # List of values denied at this resource. Can only be set if no values are 1744 # set for `allowed_values` and `all_values` is set to 1745 # `ALL_VALUES_UNSPECIFIED`. 1746 "A String", 1747 ], 1748 }, 1749 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 1750 # resource. 1751 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 1752 # configuration is acceptable. 1753 # 1754 # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` 1755 # with `constraint_default` set to `ALLOW`. A `Policy` for that 1756 # `Constraint` exhibits the following behavior: 1757 # - If the `Policy` at this resource has enforced set to `false`, serial 1758 # port connection attempts will be allowed. 1759 # - If the `Policy` at this resource has enforced set to `true`, serial 1760 # port connection attempts will be refused. 1761 # - If the `Policy` at this resource is `RestoreDefault`, serial port 1762 # connection attempts will be allowed. 1763 # - If no `Policy` is set at this resource or anywhere higher in the 1764 # resource hierarchy, serial port connection attempts will be allowed. 1765 # - If no `Policy` is set at this resource, but one exists higher in the 1766 # resource hierarchy, the behavior is as if the`Policy` were set at 1767 # this resource. 1768 # 1769 # The following examples demonstrate the different possible layerings: 1770 # 1771 # Example 1 (nearest `Constraint` wins): 1772 # `organizations/foo` has a `Policy` with: 1773 # {enforced: false} 1774 # `projects/bar` has no `Policy` set. 1775 # The constraint at `projects/bar` and `organizations/foo` will not be 1776 # enforced. 1777 # 1778 # Example 2 (enforcement gets replaced): 1779 # `organizations/foo` has a `Policy` with: 1780 # {enforced: false} 1781 # `projects/bar` has a `Policy` with: 1782 # {enforced: true} 1783 # The constraint at `organizations/foo` is not enforced. 1784 # The constraint at `projects/bar` is enforced. 1785 # 1786 # Example 3 (RestoreDefault): 1787 # `organizations/foo` has a `Policy` with: 1788 # {enforced: true} 1789 # `projects/bar` has a `Policy` with: 1790 # {RestoreDefault: {}} 1791 # The constraint at `organizations/foo` is enforced. 1792 # The constraint at `projects/bar` is not enforced, because 1793 # `constraint_default` for the `Constraint` is `ALLOW`. 1794 }, 1795 "version": 42, # Version of the `Policy`. Default version is 0; 1796 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 1797 # concurrency control. 1798 # 1799 # When the `Policy` is returned from either a `GetPolicy` or a 1800 # `ListOrgPolicy` request, this `etag` indicates the version of the current 1801 # `Policy` to use when executing a read-modify-write loop. 1802 # 1803 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 1804 # `etag` will be unset. 1805 # 1806 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 1807 # that was returned from a `GetOrgPolicy` request as part of a 1808 # read-modify-write loop for concurrency control. Not setting the `etag`in a 1809 # `SetOrgPolicy` request will result in an unconditional write of the 1810 # `Policy`. 1811 }, 1812 } 1813 1814 x__xgafv: string, V1 error format. 1815 Allowed values 1816 1 - v1 error format 1817 2 - v2 error format 1818 1819 Returns: 1820 An object of the form: 1821 1822 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 1823 # for configurations of Cloud Platform resources. 1824 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 1825 # server, not specified by the caller, and represents the last time a call to 1826 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 1827 # be ignored. 1828 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 1829 # `constraints/serviceuser.services`. 1830 # 1831 # Immutable after creation. 1832 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 1833 # `Constraint` type. 1834 # `constraint_default` enforcement behavior of the specific `Constraint` at 1835 # this resource. 1836 # 1837 # Suppose that `constraint_default` is set to `ALLOW` for the 1838 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 1839 # foo.com sets a `Policy` at their Organization resource node that restricts 1840 # the allowed service activations to deny all service activations. They 1841 # could then set a `Policy` with the `policy_type` `restore_default` on 1842 # several experimental projects, restoring the `constraint_default` 1843 # enforcement of the `Constraint` for only those projects, allowing those 1844 # projects to have all services activated. 1845 }, 1846 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 1847 # resource. 1848 # 1849 # A `ListPolicy` can define specific values that are allowed or denied by 1850 # setting either the `allowed_values` or `denied_values` fields. It can also 1851 # be used to allow or deny all values, by setting the `all_values` field. If 1852 # `all_values` is `ALL_VALUES_UNSPECIFIED`, exactly one of `allowed_values` 1853 # or `denied_values` must be set (attempting to set both or neither will 1854 # result in a failed request). If `all_values` is set to either `ALLOW` or 1855 # `DENY`, `allowed_values` and `denied_values` must be unset. 1856 "allValues": "A String", # The policy all_values state. 1857 "allowedValues": [ # List of values allowed at this resource. an only be set if no values are 1858 # set for `denied_values` and `all_values` is set to 1859 # `ALL_VALUES_UNSPECIFIED`. 1860 "A String", 1861 ], 1862 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 1863 # 1864 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 1865 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 1866 # set to `true`, then the values from the effective `Policy` of the parent 1867 # resource are inherited, meaning the values set in this `Policy` are 1868 # added to the values inherited up the hierarchy. 1869 # 1870 # Setting `Policy` hierarchies that inherit both allowed values and denied 1871 # values isn't recommended in most circumstances to keep the configuration 1872 # simple and understandable. However, it is possible to set a `Policy` with 1873 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 1874 # In this case, the values that are allowed must be in `allowed_values` and 1875 # not present in `denied_values`. 1876 # 1877 # For example, suppose you have a `Constraint` 1878 # `constraints/serviceuser.services`, which has a `constraint_type` of 1879 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 1880 # Suppose that at the Organization level, a `Policy` is applied that 1881 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 1882 # `Policy` is applied to a project below the Organization that has 1883 # `inherit_from_parent` set to `false` and field all_values set to DENY, 1884 # then an attempt to activate any API will be denied. 1885 # 1886 # The following examples demonstrate different possible layerings: 1887 # 1888 # Example 1 (no inherited values): 1889 # `organizations/foo` has a `Policy` with values: 1890 # {allowed_values: E1 allowed_values:E2} 1891 # ``projects/bar`` has `inherit_from_parent` `false` and values: 1892 # {allowed_values: "E3" allowed_values: "E4"} 1893 # The accepted values at `organizations/foo` are `E1`, `E2`. 1894 # The accepted values at `projects/bar` are `E3`, and `E4`. 1895 # 1896 # Example 2 (inherited values): 1897 # `organizations/foo` has a `Policy` with values: 1898 # {allowed_values: E1 allowed_values:E2} 1899 # `projects/bar` has a `Policy` with values: 1900 # {value: E3 value: E4 inherit_from_parent: true} 1901 # The accepted values at `organizations/foo` are `E1`, `E2`. 1902 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 1903 # 1904 # Example 3 (inheriting both allowed and denied values): 1905 # `organizations/foo` has a `Policy` with values: 1906 # {allowed_values: "E1" allowed_values: "E2"} 1907 # `projects/bar` has a `Policy` with: 1908 # {denied_values: "E1"} 1909 # The accepted values at `organizations/foo` are `E1`, `E2`. 1910 # The value accepted at `projects/bar` is `E2`. 1911 # 1912 # Example 4 (RestoreDefault): 1913 # `organizations/foo` has a `Policy` with values: 1914 # {allowed_values: E1 allowed_values:E2} 1915 # `projects/bar` has a `Policy` with values: 1916 # {RestoreDefault: {}} 1917 # The accepted values at `organizations/foo` are `E1`, `E2`. 1918 # The accepted values at `projects/bar` are either all or none depending on 1919 # the value of `constraint_default` (if `ALLOW`, all; if 1920 # `DENY`, none). 1921 # 1922 # Example 5 (no policy inherits parent policy): 1923 # `organizations/foo` has no `Policy` set. 1924 # `projects/bar` has no `Policy` set. 1925 # The accepted values at both levels are either all or none depending on 1926 # the value of `constraint_default` (if `ALLOW`, all; if 1927 # `DENY`, none). 1928 # 1929 # Example 6 (ListConstraint allowing all): 1930 # `organizations/foo` has a `Policy` with values: 1931 # {allowed_values: E1 allowed_values: E2} 1932 # `projects/bar` has a `Policy` with: 1933 # {all: ALLOW} 1934 # The accepted values at `organizations/foo` are `E1`, E2`. 1935 # Any value is accepted at `projects/bar`. 1936 # 1937 # Example 7 (ListConstraint allowing none): 1938 # `organizations/foo` has a `Policy` with values: 1939 # {allowed_values: E1 allowed_values: E2} 1940 # `projects/bar` has a `Policy` with: 1941 # {all: DENY} 1942 # The accepted values at `organizations/foo` are `E1`, E2`. 1943 # No value is accepted at `projects/bar`. 1944 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 1945 # that matches the value specified in this `Policy`. If `suggested_value` 1946 # is not set, it will inherit the value specified higher in the hierarchy, 1947 # unless `inherit_from_parent` is `false`. 1948 "deniedValues": [ # List of values denied at this resource. Can only be set if no values are 1949 # set for `allowed_values` and `all_values` is set to 1950 # `ALL_VALUES_UNSPECIFIED`. 1951 "A String", 1952 ], 1953 }, 1954 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 1955 # resource. 1956 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 1957 # configuration is acceptable. 1958 # 1959 # Suppose you have a `Constraint` `constraints/compute.disableSerialPortAccess` 1960 # with `constraint_default` set to `ALLOW`. A `Policy` for that 1961 # `Constraint` exhibits the following behavior: 1962 # - If the `Policy` at this resource has enforced set to `false`, serial 1963 # port connection attempts will be allowed. 1964 # - If the `Policy` at this resource has enforced set to `true`, serial 1965 # port connection attempts will be refused. 1966 # - If the `Policy` at this resource is `RestoreDefault`, serial port 1967 # connection attempts will be allowed. 1968 # - If no `Policy` is set at this resource or anywhere higher in the 1969 # resource hierarchy, serial port connection attempts will be allowed. 1970 # - If no `Policy` is set at this resource, but one exists higher in the 1971 # resource hierarchy, the behavior is as if the`Policy` were set at 1972 # this resource. 1973 # 1974 # The following examples demonstrate the different possible layerings: 1975 # 1976 # Example 1 (nearest `Constraint` wins): 1977 # `organizations/foo` has a `Policy` with: 1978 # {enforced: false} 1979 # `projects/bar` has no `Policy` set. 1980 # The constraint at `projects/bar` and `organizations/foo` will not be 1981 # enforced. 1982 # 1983 # Example 2 (enforcement gets replaced): 1984 # `organizations/foo` has a `Policy` with: 1985 # {enforced: false} 1986 # `projects/bar` has a `Policy` with: 1987 # {enforced: true} 1988 # The constraint at `organizations/foo` is not enforced. 1989 # The constraint at `projects/bar` is enforced. 1990 # 1991 # Example 3 (RestoreDefault): 1992 # `organizations/foo` has a `Policy` with: 1993 # {enforced: true} 1994 # `projects/bar` has a `Policy` with: 1995 # {RestoreDefault: {}} 1996 # The constraint at `organizations/foo` is enforced. 1997 # The constraint at `projects/bar` is not enforced, because 1998 # `constraint_default` for the `Constraint` is `ALLOW`. 1999 }, 2000 "version": 42, # Version of the `Policy`. Default version is 0; 2001 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 2002 # concurrency control. 2003 # 2004 # When the `Policy` is returned from either a `GetPolicy` or a 2005 # `ListOrgPolicy` request, this `etag` indicates the version of the current 2006 # `Policy` to use when executing a read-modify-write loop. 2007 # 2008 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 2009 # `etag` will be unset. 2010 # 2011 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 2012 # that was returned from a `GetOrgPolicy` request as part of a 2013 # read-modify-write loop for concurrency control. Not setting the `etag`in a 2014 # `SetOrgPolicy` request will result in an unconditional write of the 2015 # `Policy`. 2016 }</pre> 2017 </div> 2018 2019 <div class="method"> 2020 <code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code> 2021 <pre>Returns permissions that a caller has on the specified Organization. 2022 The `resource` field should be the organization's resource name, 2023 e.g. "organizations/123". 2024 2025 Args: 2026 resource: string, REQUIRED: The resource for which the policy detail is being requested. 2027 See the operation documentation for the appropriate value for this field. (required) 2028 body: object, The request body. (required) 2029 The object takes the form of: 2030 2031 { # Request message for `TestIamPermissions` method. 2032 "permissions": [ # The set of permissions to check for the `resource`. Permissions with 2033 # wildcards (such as '*' or 'storage.*') are not allowed. For more 2034 # information see 2035 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). 2036 "A String", 2037 ], 2038 } 2039 2040 x__xgafv: string, V1 error format. 2041 Allowed values 2042 1 - v1 error format 2043 2 - v2 error format 2044 2045 Returns: 2046 An object of the form: 2047 2048 { # Response message for `TestIamPermissions` method. 2049 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is 2050 # allowed. 2051 "A String", 2052 ], 2053 }</pre> 2054 </div> 2055 2056 </body></html>
