• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5  margin: 0;
6  padding: 0;
7  border: 0;
8  font-weight: inherit;
9  font-style: inherit;
10  font-size: 100%;
11  font-family: inherit;
12  vertical-align: baseline;
13}
14
15body {
16  font-size: 13px;
17  padding: 1em;
18}
19
20h1 {
21  font-size: 26px;
22  margin-bottom: 1em;
23}
24
25h2 {
26  font-size: 24px;
27  margin-bottom: 1em;
28}
29
30h3 {
31  font-size: 20px;
32  margin-bottom: 1em;
33  margin-top: 1em;
34}
35
36pre, code {
37  line-height: 1.5;
38  font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42  margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46  font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50  border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54  margin-top: 0.5em;
55}
56
57.firstline {
58  margin-left: 2 em;
59}
60
61.method  {
62  margin-top: 1em;
63  border: solid 1px #CCC;
64  padding: 1em;
65  background: #EEE;
66}
67
68.details {
69  font-weight: bold;
70  font-size: 14px;
71}
72
73</style>
74
75<h1><a href="cloudresourcemanager_v1.html">Cloud Resource Manager API</a> . <a href="cloudresourcemanager_v1.folders.html">folders</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
78  <code><a href="#clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</a></code></p>
79<p class="firstline">Clears a `Policy` from a resource.</p>
80<p class="toc_element">
81  <code><a href="#getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</a></code></p>
82<p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging</p>
83<p class="toc_element">
84  <code><a href="#getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</a></code></p>
85<p class="firstline">Gets a `Policy` on a resource.</p>
86<p class="toc_element">
87  <code><a href="#listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</a></code></p>
88<p class="firstline">Lists `Constraints` that could be applied on the specified resource.</p>
89<p class="toc_element">
90  <code><a href="#listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</a></code></p>
91<p class="firstline">Retrieves the next page of results.</p>
92<p class="toc_element">
93  <code><a href="#listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</a></code></p>
94<p class="firstline">Lists all the `Policies` set for a particular resource.</p>
95<p class="toc_element">
96  <code><a href="#listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</a></code></p>
97<p class="firstline">Retrieves the next page of results.</p>
98<p class="toc_element">
99  <code><a href="#setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</a></code></p>
100<p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for</p>
101<h3>Method Details</h3>
102<div class="method">
103    <code class="details" id="clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</code>
104  <pre>Clears a `Policy` from a resource.
105
106Args:
107  resource: string, Name of the resource for the `Policy` to clear. (required)
108  body: object, The request body. (required)
109    The object takes the form of:
110
111{ # The request sent to the ClearOrgPolicy method.
112    "etag": "A String", # The current version, for concurrency control. Not sending an `etag`
113        # will cause the `Policy` to be cleared blindly.
114    "constraint": "A String", # Name of the `Constraint` of the `Policy` to clear.
115  }
116
117  x__xgafv: string, V1 error format.
118    Allowed values
119      1 - v1 error format
120      2 - v2 error format
121
122Returns:
123  An object of the form:
124
125    { # A generic empty message that you can re-use to avoid defining duplicated
126      # empty messages in your APIs. A typical example is to use it as the request
127      # or the response type of an API method. For instance:
128      #
129      #     service Foo {
130      #       rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
131      #     }
132      #
133      # The JSON representation for `Empty` is empty JSON object `{}`.
134  }</pre>
135</div>
136
137<div class="method">
138    <code class="details" id="getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</code>
139  <pre>Gets the effective `Policy` on a resource. This is the result of merging
140`Policies` in the resource hierarchy. The returned `Policy` will not have
141an `etag`set because it is a computed `Policy` across multiple resources.
142Subtrees of Resource Manager resource hierarchy with 'under:' prefix will
143not be expanded.
144
145Args:
146  resource: string, The name of the resource to start computing the effective `Policy`. (required)
147  body: object, The request body. (required)
148    The object takes the form of:
149
150{ # The request sent to the GetEffectiveOrgPolicy method.
151    "constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`.
152  }
153
154  x__xgafv: string, V1 error format.
155    Allowed values
156      1 - v1 error format
157      2 - v2 error format
158
159Returns:
160  An object of the form:
161
162    { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
163      # for configurations of Cloud Platform resources.
164    "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
165        # server, not specified by the caller, and represents the last time a call to
166        # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
167        # be ignored.
168    "version": 42, # Version of the `Policy`. Default version is 0;
169    "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
170        # `constraints/serviceuser.services`.
171        #
172        # Immutable after creation.
173    "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
174        # `Constraint` type.
175        # `constraint_default` enforcement behavior of the specific `Constraint` at
176        # this resource.
177        #
178        # Suppose that `constraint_default` is set to `ALLOW` for the
179        # `Constraint` `constraints/serviceuser.services`. Suppose that organization
180        # foo.com sets a `Policy` at their Organization resource node that restricts
181        # the allowed service activations to deny all service activations. They
182        # could then set a `Policy` with the `policy_type` `restore_default` on
183        # several experimental projects, restoring the `constraint_default`
184        # enforcement of the `Constraint` for only those projects, allowing those
185        # projects to have all services activated.
186    },
187    "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
188        # resource.
189        #
190        # `ListPolicy` can define specific values and subtrees of Cloud Resource
191        # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
192        # are allowed or denied by setting the `allowed_values` and `denied_values`
193        # fields. This is achieved by using the `under:` and optional `is:` prefixes.
194        # The `under:` prefix is used to denote resource subtree values.
195        # The `is:` prefix is used to denote specific values, and is required only
196        # if the value contains a ":". Values prefixed with "is:" are treated the
197        # same as values with no prefix.
198        # Ancestry subtrees must be in one of the following formats:
199        #     - “projects/<project-id>”, e.g.projects/tokyo-rain-123200        #     - “folders/<folder-id>”, e.g.folders/1234201        #     - “organizations/<organization-id>”, e.g.organizations/1234202        # The `supports_under` field of the associated `Constraint`  defines whether
203        # ancestry prefixes can be used. You can set `allowed_values` and
204        # `denied_values` in the same `Policy` if `all_values` is
205        # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
206        # values. If `all_values` is set to either `ALLOW` or `DENY`,
207        # `allowed_values` and `denied_values` must be unset.
208      "allValues": "A String", # The policy all_values state.
209      "allowedValues": [ # List of values allowed  at this resource. Can only be set if `all_values`
210          # is set to `ALL_VALUES_UNSPECIFIED`.
211        "A String",
212      ],
213      "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
214          #
215          # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
216          # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
217          # set to `true`, then the values from the effective `Policy` of the parent
218          # resource are inherited, meaning the values set in this `Policy` are
219          # added to the values inherited up the hierarchy.
220          #
221          # Setting `Policy` hierarchies that inherit both allowed values and denied
222          # values isn't recommended in most circumstances to keep the configuration
223          # simple and understandable. However, it is possible to set a `Policy` with
224          # `allowed_values` set that inherits a `Policy` with `denied_values` set.
225          # In this case, the values that are allowed must be in `allowed_values` and
226          # not present in `denied_values`.
227          #
228          # For example, suppose you have a `Constraint`
229          # `constraints/serviceuser.services`, which has a `constraint_type` of
230          # `list_constraint`, and with `constraint_default` set to `ALLOW`.
231          # Suppose that at the Organization level, a `Policy` is applied that
232          # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
233          # `Policy` is applied to a project below the Organization that has
234          # `inherit_from_parent` set to `false` and field all_values set to DENY,
235          # then an attempt to activate any API will be denied.
236          #
237          # The following examples demonstrate different possible layerings for
238          # `projects/bar` parented by `organizations/foo`:
239          #
240          # Example 1 (no inherited values):
241          #   `organizations/foo` has a `Policy` with values:
242          #     {allowed_values: “E1” allowed_values:”E2”}
243          #   `projects/bar` has `inherit_from_parent` `false` and values:
244          #     {allowed_values: "E3" allowed_values: "E4"}
245          # The accepted values at `organizations/foo` are `E1`, `E2`.
246          # The accepted values at `projects/bar` are `E3`, and `E4`.
247          #
248          # Example 2 (inherited values):
249          #   `organizations/foo` has a `Policy` with values:
250          #     {allowed_values: “E1” allowed_values:”E2”}
251          #   `projects/bar` has a `Policy` with values:
252          #     {value: “E3” value: ”E4” inherit_from_parent: true}
253          # The accepted values at `organizations/foo` are `E1`, `E2`.
254          # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
255          #
256          # Example 3 (inheriting both allowed and denied values):
257          #   `organizations/foo` has a `Policy` with values:
258          #     {allowed_values: "E1" allowed_values: "E2"}
259          #   `projects/bar` has a `Policy` with:
260          #     {denied_values: "E1"}
261          # The accepted values at `organizations/foo` are `E1`, `E2`.
262          # The value accepted at `projects/bar` is `E2`.
263          #
264          # Example 4 (RestoreDefault):
265          #   `organizations/foo` has a `Policy` with values:
266          #     {allowed_values: “E1” allowed_values:”E2”}
267          #   `projects/bar` has a `Policy` with values:
268          #     {RestoreDefault: {}}
269          # The accepted values at `organizations/foo` are `E1`, `E2`.
270          # The accepted values at `projects/bar` are either all or none depending on
271          # the value of `constraint_default` (if `ALLOW`, all; if
272          # `DENY`, none).
273          #
274          # Example 5 (no policy inherits parent policy):
275          #   `organizations/foo` has no `Policy` set.
276          #   `projects/bar` has no `Policy` set.
277          # The accepted values at both levels are either all or none depending on
278          # the value of `constraint_default` (if `ALLOW`, all; if
279          # `DENY`, none).
280          #
281          # Example 6 (ListConstraint allowing all):
282          #   `organizations/foo` has a `Policy` with values:
283          #     {allowed_values: “E1” allowed_values: ”E2”}
284          #   `projects/bar` has a `Policy` with:
285          #     {all: ALLOW}
286          # The accepted values at `organizations/foo` are `E1`, E2`.
287          # Any value is accepted at `projects/bar`.
288          #
289          # Example 7 (ListConstraint allowing none):
290          #   `organizations/foo` has a `Policy` with values:
291          #     {allowed_values: “E1” allowed_values: ”E2”}
292          #   `projects/bar` has a `Policy` with:
293          #     {all: DENY}
294          # The accepted values at `organizations/foo` are `E1`, E2`.
295          # No value is accepted at `projects/bar`.
296          #
297          # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
298          # Given the following resource hierarchy
299          #   O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
300          #   `organizations/foo` has a `Policy` with values:
301          #     {allowed_values: "under:organizations/O1"}
302          #   `projects/bar` has a `Policy` with:
303          #     {allowed_values: "under:projects/P3"}
304          #     {denied_values: "under:folders/F2"}
305          # The accepted values at `organizations/foo` are `organizations/O1`,
306          #   `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
307          #   `projects/P3`.
308          # The accepted values at `projects/bar` are `organizations/O1`,
309          #   `folders/F1`, `projects/P1`.
310      "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
311          # that matches the value specified in this `Policy`. If `suggested_value`
312          # is not set, it will inherit the value specified higher in the hierarchy,
313          # unless `inherit_from_parent` is `false`.
314      "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
315          # is set to `ALL_VALUES_UNSPECIFIED`.
316        "A String",
317      ],
318    },
319    "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
320        # resource.
321      "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
322          # configuration is acceptable.
323          #
324          # Suppose you have a `Constraint`
325          # `constraints/compute.disableSerialPortAccess` with `constraint_default`
326          # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
327          # behavior:
328          #   - If the `Policy` at this resource has enforced set to `false`, serial
329          #     port connection attempts will be allowed.
330          #   - If the `Policy` at this resource has enforced set to `true`, serial
331          #     port connection attempts will be refused.
332          #   - If the `Policy` at this resource is `RestoreDefault`, serial port
333          #     connection attempts will be allowed.
334          #   - If no `Policy` is set at this resource or anywhere higher in the
335          #     resource hierarchy, serial port connection attempts will be allowed.
336          #   - If no `Policy` is set at this resource, but one exists higher in the
337          #     resource hierarchy, the behavior is as if the`Policy` were set at
338          #     this resource.
339          #
340          # The following examples demonstrate the different possible layerings:
341          #
342          # Example 1 (nearest `Constraint` wins):
343          #   `organizations/foo` has a `Policy` with:
344          #     {enforced: false}
345          #   `projects/bar` has no `Policy` set.
346          # The constraint at `projects/bar` and `organizations/foo` will not be
347          # enforced.
348          #
349          # Example 2 (enforcement gets replaced):
350          #   `organizations/foo` has a `Policy` with:
351          #     {enforced: false}
352          #   `projects/bar` has a `Policy` with:
353          #     {enforced: true}
354          # The constraint at `organizations/foo` is not enforced.
355          # The constraint at `projects/bar` is enforced.
356          #
357          # Example 3 (RestoreDefault):
358          #   `organizations/foo` has a `Policy` with:
359          #     {enforced: true}
360          #   `projects/bar` has a `Policy` with:
361          #     {RestoreDefault: {}}
362          # The constraint at `organizations/foo` is enforced.
363          # The constraint at `projects/bar` is not enforced, because
364          # `constraint_default` for the `Constraint` is `ALLOW`.
365    },
366    "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
367        # concurrency control.
368        #
369        # When the `Policy` is returned from either a `GetPolicy` or a
370        # `ListOrgPolicy` request, this `etag` indicates the version of the current
371        # `Policy` to use when executing a read-modify-write loop.
372        #
373        # When the `Policy` is returned from a `GetEffectivePolicy` request, the
374        # `etag` will be unset.
375        #
376        # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
377        # that was returned from a `GetOrgPolicy` request as part of a
378        # read-modify-write loop for concurrency control. Not setting the `etag`in a
379        # `SetOrgPolicy` request will result in an unconditional write of the
380        # `Policy`.
381  }</pre>
382</div>
383
384<div class="method">
385    <code class="details" id="getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</code>
386  <pre>Gets a `Policy` on a resource.
387
388If no `Policy` is set on the resource, a `Policy` is returned with default
389values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The
390`etag` value can be used with `SetOrgPolicy()` to create or update a
391`Policy` during read-modify-write.
392
393Args:
394  resource: string, Name of the resource the `Policy` is set on. (required)
395  body: object, The request body. (required)
396    The object takes the form of:
397
398{ # The request sent to the GetOrgPolicy method.
399    "constraint": "A String", # Name of the `Constraint` to get the `Policy`.
400  }
401
402  x__xgafv: string, V1 error format.
403    Allowed values
404      1 - v1 error format
405      2 - v2 error format
406
407Returns:
408  An object of the form:
409
410    { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
411      # for configurations of Cloud Platform resources.
412    "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
413        # server, not specified by the caller, and represents the last time a call to
414        # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
415        # be ignored.
416    "version": 42, # Version of the `Policy`. Default version is 0;
417    "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
418        # `constraints/serviceuser.services`.
419        #
420        # Immutable after creation.
421    "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
422        # `Constraint` type.
423        # `constraint_default` enforcement behavior of the specific `Constraint` at
424        # this resource.
425        #
426        # Suppose that `constraint_default` is set to `ALLOW` for the
427        # `Constraint` `constraints/serviceuser.services`. Suppose that organization
428        # foo.com sets a `Policy` at their Organization resource node that restricts
429        # the allowed service activations to deny all service activations. They
430        # could then set a `Policy` with the `policy_type` `restore_default` on
431        # several experimental projects, restoring the `constraint_default`
432        # enforcement of the `Constraint` for only those projects, allowing those
433        # projects to have all services activated.
434    },
435    "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
436        # resource.
437        #
438        # `ListPolicy` can define specific values and subtrees of Cloud Resource
439        # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
440        # are allowed or denied by setting the `allowed_values` and `denied_values`
441        # fields. This is achieved by using the `under:` and optional `is:` prefixes.
442        # The `under:` prefix is used to denote resource subtree values.
443        # The `is:` prefix is used to denote specific values, and is required only
444        # if the value contains a ":". Values prefixed with "is:" are treated the
445        # same as values with no prefix.
446        # Ancestry subtrees must be in one of the following formats:
447        #     - “projects/<project-id>”, e.g.projects/tokyo-rain-123448        #     - “folders/<folder-id>”, e.g.folders/1234449        #     - “organizations/<organization-id>”, e.g.organizations/1234450        # The `supports_under` field of the associated `Constraint`  defines whether
451        # ancestry prefixes can be used. You can set `allowed_values` and
452        # `denied_values` in the same `Policy` if `all_values` is
453        # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
454        # values. If `all_values` is set to either `ALLOW` or `DENY`,
455        # `allowed_values` and `denied_values` must be unset.
456      "allValues": "A String", # The policy all_values state.
457      "allowedValues": [ # List of values allowed  at this resource. Can only be set if `all_values`
458          # is set to `ALL_VALUES_UNSPECIFIED`.
459        "A String",
460      ],
461      "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
462          #
463          # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
464          # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
465          # set to `true`, then the values from the effective `Policy` of the parent
466          # resource are inherited, meaning the values set in this `Policy` are
467          # added to the values inherited up the hierarchy.
468          #
469          # Setting `Policy` hierarchies that inherit both allowed values and denied
470          # values isn't recommended in most circumstances to keep the configuration
471          # simple and understandable. However, it is possible to set a `Policy` with
472          # `allowed_values` set that inherits a `Policy` with `denied_values` set.
473          # In this case, the values that are allowed must be in `allowed_values` and
474          # not present in `denied_values`.
475          #
476          # For example, suppose you have a `Constraint`
477          # `constraints/serviceuser.services`, which has a `constraint_type` of
478          # `list_constraint`, and with `constraint_default` set to `ALLOW`.
479          # Suppose that at the Organization level, a `Policy` is applied that
480          # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
481          # `Policy` is applied to a project below the Organization that has
482          # `inherit_from_parent` set to `false` and field all_values set to DENY,
483          # then an attempt to activate any API will be denied.
484          #
485          # The following examples demonstrate different possible layerings for
486          # `projects/bar` parented by `organizations/foo`:
487          #
488          # Example 1 (no inherited values):
489          #   `organizations/foo` has a `Policy` with values:
490          #     {allowed_values: “E1” allowed_values:”E2”}
491          #   `projects/bar` has `inherit_from_parent` `false` and values:
492          #     {allowed_values: "E3" allowed_values: "E4"}
493          # The accepted values at `organizations/foo` are `E1`, `E2`.
494          # The accepted values at `projects/bar` are `E3`, and `E4`.
495          #
496          # Example 2 (inherited values):
497          #   `organizations/foo` has a `Policy` with values:
498          #     {allowed_values: “E1” allowed_values:”E2”}
499          #   `projects/bar` has a `Policy` with values:
500          #     {value: “E3” value: ”E4” inherit_from_parent: true}
501          # The accepted values at `organizations/foo` are `E1`, `E2`.
502          # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
503          #
504          # Example 3 (inheriting both allowed and denied values):
505          #   `organizations/foo` has a `Policy` with values:
506          #     {allowed_values: "E1" allowed_values: "E2"}
507          #   `projects/bar` has a `Policy` with:
508          #     {denied_values: "E1"}
509          # The accepted values at `organizations/foo` are `E1`, `E2`.
510          # The value accepted at `projects/bar` is `E2`.
511          #
512          # Example 4 (RestoreDefault):
513          #   `organizations/foo` has a `Policy` with values:
514          #     {allowed_values: “E1” allowed_values:”E2”}
515          #   `projects/bar` has a `Policy` with values:
516          #     {RestoreDefault: {}}
517          # The accepted values at `organizations/foo` are `E1`, `E2`.
518          # The accepted values at `projects/bar` are either all or none depending on
519          # the value of `constraint_default` (if `ALLOW`, all; if
520          # `DENY`, none).
521          #
522          # Example 5 (no policy inherits parent policy):
523          #   `organizations/foo` has no `Policy` set.
524          #   `projects/bar` has no `Policy` set.
525          # The accepted values at both levels are either all or none depending on
526          # the value of `constraint_default` (if `ALLOW`, all; if
527          # `DENY`, none).
528          #
529          # Example 6 (ListConstraint allowing all):
530          #   `organizations/foo` has a `Policy` with values:
531          #     {allowed_values: “E1” allowed_values: ”E2”}
532          #   `projects/bar` has a `Policy` with:
533          #     {all: ALLOW}
534          # The accepted values at `organizations/foo` are `E1`, E2`.
535          # Any value is accepted at `projects/bar`.
536          #
537          # Example 7 (ListConstraint allowing none):
538          #   `organizations/foo` has a `Policy` with values:
539          #     {allowed_values: “E1” allowed_values: ”E2”}
540          #   `projects/bar` has a `Policy` with:
541          #     {all: DENY}
542          # The accepted values at `organizations/foo` are `E1`, E2`.
543          # No value is accepted at `projects/bar`.
544          #
545          # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
546          # Given the following resource hierarchy
547          #   O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
548          #   `organizations/foo` has a `Policy` with values:
549          #     {allowed_values: "under:organizations/O1"}
550          #   `projects/bar` has a `Policy` with:
551          #     {allowed_values: "under:projects/P3"}
552          #     {denied_values: "under:folders/F2"}
553          # The accepted values at `organizations/foo` are `organizations/O1`,
554          #   `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
555          #   `projects/P3`.
556          # The accepted values at `projects/bar` are `organizations/O1`,
557          #   `folders/F1`, `projects/P1`.
558      "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
559          # that matches the value specified in this `Policy`. If `suggested_value`
560          # is not set, it will inherit the value specified higher in the hierarchy,
561          # unless `inherit_from_parent` is `false`.
562      "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
563          # is set to `ALL_VALUES_UNSPECIFIED`.
564        "A String",
565      ],
566    },
567    "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
568        # resource.
569      "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
570          # configuration is acceptable.
571          #
572          # Suppose you have a `Constraint`
573          # `constraints/compute.disableSerialPortAccess` with `constraint_default`
574          # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
575          # behavior:
576          #   - If the `Policy` at this resource has enforced set to `false`, serial
577          #     port connection attempts will be allowed.
578          #   - If the `Policy` at this resource has enforced set to `true`, serial
579          #     port connection attempts will be refused.
580          #   - If the `Policy` at this resource is `RestoreDefault`, serial port
581          #     connection attempts will be allowed.
582          #   - If no `Policy` is set at this resource or anywhere higher in the
583          #     resource hierarchy, serial port connection attempts will be allowed.
584          #   - If no `Policy` is set at this resource, but one exists higher in the
585          #     resource hierarchy, the behavior is as if the`Policy` were set at
586          #     this resource.
587          #
588          # The following examples demonstrate the different possible layerings:
589          #
590          # Example 1 (nearest `Constraint` wins):
591          #   `organizations/foo` has a `Policy` with:
592          #     {enforced: false}
593          #   `projects/bar` has no `Policy` set.
594          # The constraint at `projects/bar` and `organizations/foo` will not be
595          # enforced.
596          #
597          # Example 2 (enforcement gets replaced):
598          #   `organizations/foo` has a `Policy` with:
599          #     {enforced: false}
600          #   `projects/bar` has a `Policy` with:
601          #     {enforced: true}
602          # The constraint at `organizations/foo` is not enforced.
603          # The constraint at `projects/bar` is enforced.
604          #
605          # Example 3 (RestoreDefault):
606          #   `organizations/foo` has a `Policy` with:
607          #     {enforced: true}
608          #   `projects/bar` has a `Policy` with:
609          #     {RestoreDefault: {}}
610          # The constraint at `organizations/foo` is enforced.
611          # The constraint at `projects/bar` is not enforced, because
612          # `constraint_default` for the `Constraint` is `ALLOW`.
613    },
614    "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
615        # concurrency control.
616        #
617        # When the `Policy` is returned from either a `GetPolicy` or a
618        # `ListOrgPolicy` request, this `etag` indicates the version of the current
619        # `Policy` to use when executing a read-modify-write loop.
620        #
621        # When the `Policy` is returned from a `GetEffectivePolicy` request, the
622        # `etag` will be unset.
623        #
624        # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
625        # that was returned from a `GetOrgPolicy` request as part of a
626        # read-modify-write loop for concurrency control. Not setting the `etag`in a
627        # `SetOrgPolicy` request will result in an unconditional write of the
628        # `Policy`.
629  }</pre>
630</div>
631
632<div class="method">
633    <code class="details" id="listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</code>
634  <pre>Lists `Constraints` that could be applied on the specified resource.
635
636Args:
637  resource: string, Name of the resource to list `Constraints` for. (required)
638  body: object, The request body. (required)
639    The object takes the form of:
640
641{ # The request sent to the [ListAvailableOrgPolicyConstraints]
642      # google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method.
643    "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
644        # and will be ignored. The server may at any point start using this field.
645    "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
646        # be ignored. The server may at any point start using this field to limit
647        # page size.
648  }
649
650  x__xgafv: string, V1 error format.
651    Allowed values
652      1 - v1 error format
653      2 - v2 error format
654
655Returns:
656  An object of the form:
657
658    { # The response returned from the ListAvailableOrgPolicyConstraints method.
659      # Returns all `Constraints` that could be set at this level of the hierarchy
660      # (contrast with the response from `ListPolicies`, which returns all policies
661      # which are set).
662    "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used.
663    "constraints": [ # The collection of constraints that are settable on the request resource.
664      { # A `Constraint` describes a way in which a resource's configuration can be
665          # restricted. For example, it controls which cloud services can be activated
666          # across an organization, or whether a Compute Engine instance can have
667          # serial port connections established. `Constraints` can be configured by the
668          # organization's policy adminstrator to fit the needs of the organzation by
669          # setting Policies for `Constraints` at different locations in the
670          # organization's resource hierarchy. Policies are inherited down the resource
671          # hierarchy from higher levels, but can also be overridden. For details about
672          # the inheritance rules please read about
673          # Policies.
674          #
675          # `Constraints` have a default behavior determined by the `constraint_default`
676          # field, which is the enforcement behavior that is used in the absence of a
677          # `Policy` being defined or inherited for the resource in question.
678        "constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'.
679        "displayName": "A String", # The human readable name.
680            #
681            # Mutable.
682        "name": "A String", # Immutable value, required to globally be unique. For example,
683            # `constraints/serviceuser.services`
684        "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint.
685            #
686            # For example a constraint `constraints/compute.disableSerialPortAccess`.
687            # If it is enforced on a VM instance, serial port connections will not be
688            # opened to that instance.
689        },
690        "version": 42, # Version of the `Constraint`. Default version is 0;
691        "listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint.
692            # configured by an Organization's policy administrator with a `Policy`.
693          "supportsUnder": True or False, # Indicates whether subtrees of Cloud Resource Manager resource hierarchy
694              # can be used in `Policy.allowed_values` and `Policy.denied_values`. For
695              # example, `"under:folders/123"` would match any resource under the
696              # 'folders/123' folder.
697          "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
698              # that matches the value specified in this `Constraint`.
699        },
700        "description": "A String", # Detailed description of what this `Constraint` controls as well as how and
701            # where it is enforced.
702            #
703            # Mutable.
704      },
705    ],
706  }</pre>
707</div>
708
709<div class="method">
710    <code class="details" id="listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</code>
711  <pre>Retrieves the next page of results.
712
713Args:
714  previous_request: The request for the previous page. (required)
715  previous_response: The response from the request for the previous page. (required)
716
717Returns:
718  A request object that you can call 'execute()' on to request the next
719  page. Returns None if there are no more items in the collection.
720    </pre>
721</div>
722
723<div class="method">
724    <code class="details" id="listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</code>
725  <pre>Lists all the `Policies` set for a particular resource.
726
727Args:
728  resource: string, Name of the resource to list Policies for. (required)
729  body: object, The request body. (required)
730    The object takes the form of:
731
732{ # The request sent to the ListOrgPolicies method.
733    "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
734        # and will be ignored. The server may at any point start using this field.
735    "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
736        # be ignored. The server may at any point start using this field to limit
737        # page size.
738  }
739
740  x__xgafv: string, V1 error format.
741    Allowed values
742      1 - v1 error format
743      2 - v2 error format
744
745Returns:
746  An object of the form:
747
748    { # The response returned from the ListOrgPolicies method. It will be empty
749      # if no `Policies` are set on the resource.
750    "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but
751        # the server may at any point start supplying a valid token.
752    "policies": [ # The `Policies` that are set on the resource. It will be empty if no
753        # `Policies` are set.
754      { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
755          # for configurations of Cloud Platform resources.
756        "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
757            # server, not specified by the caller, and represents the last time a call to
758            # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
759            # be ignored.
760        "version": 42, # Version of the `Policy`. Default version is 0;
761        "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
762            # `constraints/serviceuser.services`.
763            #
764            # Immutable after creation.
765        "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
766            # `Constraint` type.
767            # `constraint_default` enforcement behavior of the specific `Constraint` at
768            # this resource.
769            #
770            # Suppose that `constraint_default` is set to `ALLOW` for the
771            # `Constraint` `constraints/serviceuser.services`. Suppose that organization
772            # foo.com sets a `Policy` at their Organization resource node that restricts
773            # the allowed service activations to deny all service activations. They
774            # could then set a `Policy` with the `policy_type` `restore_default` on
775            # several experimental projects, restoring the `constraint_default`
776            # enforcement of the `Constraint` for only those projects, allowing those
777            # projects to have all services activated.
778        },
779        "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
780            # resource.
781            #
782            # `ListPolicy` can define specific values and subtrees of Cloud Resource
783            # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
784            # are allowed or denied by setting the `allowed_values` and `denied_values`
785            # fields. This is achieved by using the `under:` and optional `is:` prefixes.
786            # The `under:` prefix is used to denote resource subtree values.
787            # The `is:` prefix is used to denote specific values, and is required only
788            # if the value contains a ":". Values prefixed with "is:" are treated the
789            # same as values with no prefix.
790            # Ancestry subtrees must be in one of the following formats:
791            #     - “projects/<project-id>”, e.g.projects/tokyo-rain-123792            #     - “folders/<folder-id>”, e.g.folders/1234793            #     - “organizations/<organization-id>”, e.g.organizations/1234794            # The `supports_under` field of the associated `Constraint`  defines whether
795            # ancestry prefixes can be used. You can set `allowed_values` and
796            # `denied_values` in the same `Policy` if `all_values` is
797            # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
798            # values. If `all_values` is set to either `ALLOW` or `DENY`,
799            # `allowed_values` and `denied_values` must be unset.
800          "allValues": "A String", # The policy all_values state.
801          "allowedValues": [ # List of values allowed  at this resource. Can only be set if `all_values`
802              # is set to `ALL_VALUES_UNSPECIFIED`.
803            "A String",
804          ],
805          "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
806              #
807              # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
808              # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
809              # set to `true`, then the values from the effective `Policy` of the parent
810              # resource are inherited, meaning the values set in this `Policy` are
811              # added to the values inherited up the hierarchy.
812              #
813              # Setting `Policy` hierarchies that inherit both allowed values and denied
814              # values isn't recommended in most circumstances to keep the configuration
815              # simple and understandable. However, it is possible to set a `Policy` with
816              # `allowed_values` set that inherits a `Policy` with `denied_values` set.
817              # In this case, the values that are allowed must be in `allowed_values` and
818              # not present in `denied_values`.
819              #
820              # For example, suppose you have a `Constraint`
821              # `constraints/serviceuser.services`, which has a `constraint_type` of
822              # `list_constraint`, and with `constraint_default` set to `ALLOW`.
823              # Suppose that at the Organization level, a `Policy` is applied that
824              # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
825              # `Policy` is applied to a project below the Organization that has
826              # `inherit_from_parent` set to `false` and field all_values set to DENY,
827              # then an attempt to activate any API will be denied.
828              #
829              # The following examples demonstrate different possible layerings for
830              # `projects/bar` parented by `organizations/foo`:
831              #
832              # Example 1 (no inherited values):
833              #   `organizations/foo` has a `Policy` with values:
834              #     {allowed_values: “E1” allowed_values:”E2”}
835              #   `projects/bar` has `inherit_from_parent` `false` and values:
836              #     {allowed_values: "E3" allowed_values: "E4"}
837              # The accepted values at `organizations/foo` are `E1`, `E2`.
838              # The accepted values at `projects/bar` are `E3`, and `E4`.
839              #
840              # Example 2 (inherited values):
841              #   `organizations/foo` has a `Policy` with values:
842              #     {allowed_values: “E1” allowed_values:”E2”}
843              #   `projects/bar` has a `Policy` with values:
844              #     {value: “E3” value: ”E4” inherit_from_parent: true}
845              # The accepted values at `organizations/foo` are `E1`, `E2`.
846              # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
847              #
848              # Example 3 (inheriting both allowed and denied values):
849              #   `organizations/foo` has a `Policy` with values:
850              #     {allowed_values: "E1" allowed_values: "E2"}
851              #   `projects/bar` has a `Policy` with:
852              #     {denied_values: "E1"}
853              # The accepted values at `organizations/foo` are `E1`, `E2`.
854              # The value accepted at `projects/bar` is `E2`.
855              #
856              # Example 4 (RestoreDefault):
857              #   `organizations/foo` has a `Policy` with values:
858              #     {allowed_values: “E1” allowed_values:”E2”}
859              #   `projects/bar` has a `Policy` with values:
860              #     {RestoreDefault: {}}
861              # The accepted values at `organizations/foo` are `E1`, `E2`.
862              # The accepted values at `projects/bar` are either all or none depending on
863              # the value of `constraint_default` (if `ALLOW`, all; if
864              # `DENY`, none).
865              #
866              # Example 5 (no policy inherits parent policy):
867              #   `organizations/foo` has no `Policy` set.
868              #   `projects/bar` has no `Policy` set.
869              # The accepted values at both levels are either all or none depending on
870              # the value of `constraint_default` (if `ALLOW`, all; if
871              # `DENY`, none).
872              #
873              # Example 6 (ListConstraint allowing all):
874              #   `organizations/foo` has a `Policy` with values:
875              #     {allowed_values: “E1” allowed_values: ”E2”}
876              #   `projects/bar` has a `Policy` with:
877              #     {all: ALLOW}
878              # The accepted values at `organizations/foo` are `E1`, E2`.
879              # Any value is accepted at `projects/bar`.
880              #
881              # Example 7 (ListConstraint allowing none):
882              #   `organizations/foo` has a `Policy` with values:
883              #     {allowed_values: “E1” allowed_values: ”E2”}
884              #   `projects/bar` has a `Policy` with:
885              #     {all: DENY}
886              # The accepted values at `organizations/foo` are `E1`, E2`.
887              # No value is accepted at `projects/bar`.
888              #
889              # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
890              # Given the following resource hierarchy
891              #   O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
892              #   `organizations/foo` has a `Policy` with values:
893              #     {allowed_values: "under:organizations/O1"}
894              #   `projects/bar` has a `Policy` with:
895              #     {allowed_values: "under:projects/P3"}
896              #     {denied_values: "under:folders/F2"}
897              # The accepted values at `organizations/foo` are `organizations/O1`,
898              #   `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
899              #   `projects/P3`.
900              # The accepted values at `projects/bar` are `organizations/O1`,
901              #   `folders/F1`, `projects/P1`.
902          "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
903              # that matches the value specified in this `Policy`. If `suggested_value`
904              # is not set, it will inherit the value specified higher in the hierarchy,
905              # unless `inherit_from_parent` is `false`.
906          "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
907              # is set to `ALL_VALUES_UNSPECIFIED`.
908            "A String",
909          ],
910        },
911        "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
912            # resource.
913          "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
914              # configuration is acceptable.
915              #
916              # Suppose you have a `Constraint`
917              # `constraints/compute.disableSerialPortAccess` with `constraint_default`
918              # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
919              # behavior:
920              #   - If the `Policy` at this resource has enforced set to `false`, serial
921              #     port connection attempts will be allowed.
922              #   - If the `Policy` at this resource has enforced set to `true`, serial
923              #     port connection attempts will be refused.
924              #   - If the `Policy` at this resource is `RestoreDefault`, serial port
925              #     connection attempts will be allowed.
926              #   - If no `Policy` is set at this resource or anywhere higher in the
927              #     resource hierarchy, serial port connection attempts will be allowed.
928              #   - If no `Policy` is set at this resource, but one exists higher in the
929              #     resource hierarchy, the behavior is as if the`Policy` were set at
930              #     this resource.
931              #
932              # The following examples demonstrate the different possible layerings:
933              #
934              # Example 1 (nearest `Constraint` wins):
935              #   `organizations/foo` has a `Policy` with:
936              #     {enforced: false}
937              #   `projects/bar` has no `Policy` set.
938              # The constraint at `projects/bar` and `organizations/foo` will not be
939              # enforced.
940              #
941              # Example 2 (enforcement gets replaced):
942              #   `organizations/foo` has a `Policy` with:
943              #     {enforced: false}
944              #   `projects/bar` has a `Policy` with:
945              #     {enforced: true}
946              # The constraint at `organizations/foo` is not enforced.
947              # The constraint at `projects/bar` is enforced.
948              #
949              # Example 3 (RestoreDefault):
950              #   `organizations/foo` has a `Policy` with:
951              #     {enforced: true}
952              #   `projects/bar` has a `Policy` with:
953              #     {RestoreDefault: {}}
954              # The constraint at `organizations/foo` is enforced.
955              # The constraint at `projects/bar` is not enforced, because
956              # `constraint_default` for the `Constraint` is `ALLOW`.
957        },
958        "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
959            # concurrency control.
960            #
961            # When the `Policy` is returned from either a `GetPolicy` or a
962            # `ListOrgPolicy` request, this `etag` indicates the version of the current
963            # `Policy` to use when executing a read-modify-write loop.
964            #
965            # When the `Policy` is returned from a `GetEffectivePolicy` request, the
966            # `etag` will be unset.
967            #
968            # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
969            # that was returned from a `GetOrgPolicy` request as part of a
970            # read-modify-write loop for concurrency control. Not setting the `etag`in a
971            # `SetOrgPolicy` request will result in an unconditional write of the
972            # `Policy`.
973      },
974    ],
975  }</pre>
976</div>
977
978<div class="method">
979    <code class="details" id="listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</code>
980  <pre>Retrieves the next page of results.
981
982Args:
983  previous_request: The request for the previous page. (required)
984  previous_response: The response from the request for the previous page. (required)
985
986Returns:
987  A request object that you can call 'execute()' on to request the next
988  page. Returns None if there are no more items in the collection.
989    </pre>
990</div>
991
992<div class="method">
993    <code class="details" id="setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</code>
994  <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for
995that `Constraint` on the resource if one does not exist.
996
997Not supplying an `etag` on the request `Policy` results in an unconditional
998write of the `Policy`.
999
1000Args:
1001  resource: string, Resource name of the resource to attach the `Policy`. (required)
1002  body: object, The request body. (required)
1003    The object takes the form of:
1004
1005{ # The request sent to the SetOrgPolicyRequest method.
1006    "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.
1007        # for configurations of Cloud Platform resources.
1008      "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
1009          # server, not specified by the caller, and represents the last time a call to
1010          # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
1011          # be ignored.
1012      "version": 42, # Version of the `Policy`. Default version is 0;
1013      "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
1014          # `constraints/serviceuser.services`.
1015          #
1016          # Immutable after creation.
1017      "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
1018          # `Constraint` type.
1019          # `constraint_default` enforcement behavior of the specific `Constraint` at
1020          # this resource.
1021          #
1022          # Suppose that `constraint_default` is set to `ALLOW` for the
1023          # `Constraint` `constraints/serviceuser.services`. Suppose that organization
1024          # foo.com sets a `Policy` at their Organization resource node that restricts
1025          # the allowed service activations to deny all service activations. They
1026          # could then set a `Policy` with the `policy_type` `restore_default` on
1027          # several experimental projects, restoring the `constraint_default`
1028          # enforcement of the `Constraint` for only those projects, allowing those
1029          # projects to have all services activated.
1030      },
1031      "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
1032          # resource.
1033          #
1034          # `ListPolicy` can define specific values and subtrees of Cloud Resource
1035          # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
1036          # are allowed or denied by setting the `allowed_values` and `denied_values`
1037          # fields. This is achieved by using the `under:` and optional `is:` prefixes.
1038          # The `under:` prefix is used to denote resource subtree values.
1039          # The `is:` prefix is used to denote specific values, and is required only
1040          # if the value contains a ":". Values prefixed with "is:" are treated the
1041          # same as values with no prefix.
1042          # Ancestry subtrees must be in one of the following formats:
1043          #     - “projects/<project-id>”, e.g.projects/tokyo-rain-1231044          #     - “folders/<folder-id>”, e.g.folders/12341045          #     - “organizations/<organization-id>”, e.g.organizations/12341046          # The `supports_under` field of the associated `Constraint`  defines whether
1047          # ancestry prefixes can be used. You can set `allowed_values` and
1048          # `denied_values` in the same `Policy` if `all_values` is
1049          # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
1050          # values. If `all_values` is set to either `ALLOW` or `DENY`,
1051          # `allowed_values` and `denied_values` must be unset.
1052        "allValues": "A String", # The policy all_values state.
1053        "allowedValues": [ # List of values allowed  at this resource. Can only be set if `all_values`
1054            # is set to `ALL_VALUES_UNSPECIFIED`.
1055          "A String",
1056        ],
1057        "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
1058            #
1059            # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
1060            # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
1061            # set to `true`, then the values from the effective `Policy` of the parent
1062            # resource are inherited, meaning the values set in this `Policy` are
1063            # added to the values inherited up the hierarchy.
1064            #
1065            # Setting `Policy` hierarchies that inherit both allowed values and denied
1066            # values isn't recommended in most circumstances to keep the configuration
1067            # simple and understandable. However, it is possible to set a `Policy` with
1068            # `allowed_values` set that inherits a `Policy` with `denied_values` set.
1069            # In this case, the values that are allowed must be in `allowed_values` and
1070            # not present in `denied_values`.
1071            #
1072            # For example, suppose you have a `Constraint`
1073            # `constraints/serviceuser.services`, which has a `constraint_type` of
1074            # `list_constraint`, and with `constraint_default` set to `ALLOW`.
1075            # Suppose that at the Organization level, a `Policy` is applied that
1076            # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
1077            # `Policy` is applied to a project below the Organization that has
1078            # `inherit_from_parent` set to `false` and field all_values set to DENY,
1079            # then an attempt to activate any API will be denied.
1080            #
1081            # The following examples demonstrate different possible layerings for
1082            # `projects/bar` parented by `organizations/foo`:
1083            #
1084            # Example 1 (no inherited values):
1085            #   `organizations/foo` has a `Policy` with values:
1086            #     {allowed_values: “E1” allowed_values:”E2”}
1087            #   `projects/bar` has `inherit_from_parent` `false` and values:
1088            #     {allowed_values: "E3" allowed_values: "E4"}
1089            # The accepted values at `organizations/foo` are `E1`, `E2`.
1090            # The accepted values at `projects/bar` are `E3`, and `E4`.
1091            #
1092            # Example 2 (inherited values):
1093            #   `organizations/foo` has a `Policy` with values:
1094            #     {allowed_values: “E1” allowed_values:”E2”}
1095            #   `projects/bar` has a `Policy` with values:
1096            #     {value: “E3” value: ”E4” inherit_from_parent: true}
1097            # The accepted values at `organizations/foo` are `E1`, `E2`.
1098            # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
1099            #
1100            # Example 3 (inheriting both allowed and denied values):
1101            #   `organizations/foo` has a `Policy` with values:
1102            #     {allowed_values: "E1" allowed_values: "E2"}
1103            #   `projects/bar` has a `Policy` with:
1104            #     {denied_values: "E1"}
1105            # The accepted values at `organizations/foo` are `E1`, `E2`.
1106            # The value accepted at `projects/bar` is `E2`.
1107            #
1108            # Example 4 (RestoreDefault):
1109            #   `organizations/foo` has a `Policy` with values:
1110            #     {allowed_values: “E1” allowed_values:”E2”}
1111            #   `projects/bar` has a `Policy` with values:
1112            #     {RestoreDefault: {}}
1113            # The accepted values at `organizations/foo` are `E1`, `E2`.
1114            # The accepted values at `projects/bar` are either all or none depending on
1115            # the value of `constraint_default` (if `ALLOW`, all; if
1116            # `DENY`, none).
1117            #
1118            # Example 5 (no policy inherits parent policy):
1119            #   `organizations/foo` has no `Policy` set.
1120            #   `projects/bar` has no `Policy` set.
1121            # The accepted values at both levels are either all or none depending on
1122            # the value of `constraint_default` (if `ALLOW`, all; if
1123            # `DENY`, none).
1124            #
1125            # Example 6 (ListConstraint allowing all):
1126            #   `organizations/foo` has a `Policy` with values:
1127            #     {allowed_values: “E1” allowed_values: ”E2”}
1128            #   `projects/bar` has a `Policy` with:
1129            #     {all: ALLOW}
1130            # The accepted values at `organizations/foo` are `E1`, E2`.
1131            # Any value is accepted at `projects/bar`.
1132            #
1133            # Example 7 (ListConstraint allowing none):
1134            #   `organizations/foo` has a `Policy` with values:
1135            #     {allowed_values: “E1” allowed_values: ”E2”}
1136            #   `projects/bar` has a `Policy` with:
1137            #     {all: DENY}
1138            # The accepted values at `organizations/foo` are `E1`, E2`.
1139            # No value is accepted at `projects/bar`.
1140            #
1141            # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
1142            # Given the following resource hierarchy
1143            #   O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
1144            #   `organizations/foo` has a `Policy` with values:
1145            #     {allowed_values: "under:organizations/O1"}
1146            #   `projects/bar` has a `Policy` with:
1147            #     {allowed_values: "under:projects/P3"}
1148            #     {denied_values: "under:folders/F2"}
1149            # The accepted values at `organizations/foo` are `organizations/O1`,
1150            #   `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
1151            #   `projects/P3`.
1152            # The accepted values at `projects/bar` are `organizations/O1`,
1153            #   `folders/F1`, `projects/P1`.
1154        "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
1155            # that matches the value specified in this `Policy`. If `suggested_value`
1156            # is not set, it will inherit the value specified higher in the hierarchy,
1157            # unless `inherit_from_parent` is `false`.
1158        "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
1159            # is set to `ALL_VALUES_UNSPECIFIED`.
1160          "A String",
1161        ],
1162      },
1163      "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
1164          # resource.
1165        "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
1166            # configuration is acceptable.
1167            #
1168            # Suppose you have a `Constraint`
1169            # `constraints/compute.disableSerialPortAccess` with `constraint_default`
1170            # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
1171            # behavior:
1172            #   - If the `Policy` at this resource has enforced set to `false`, serial
1173            #     port connection attempts will be allowed.
1174            #   - If the `Policy` at this resource has enforced set to `true`, serial
1175            #     port connection attempts will be refused.
1176            #   - If the `Policy` at this resource is `RestoreDefault`, serial port
1177            #     connection attempts will be allowed.
1178            #   - If no `Policy` is set at this resource or anywhere higher in the
1179            #     resource hierarchy, serial port connection attempts will be allowed.
1180            #   - If no `Policy` is set at this resource, but one exists higher in the
1181            #     resource hierarchy, the behavior is as if the`Policy` were set at
1182            #     this resource.
1183            #
1184            # The following examples demonstrate the different possible layerings:
1185            #
1186            # Example 1 (nearest `Constraint` wins):
1187            #   `organizations/foo` has a `Policy` with:
1188            #     {enforced: false}
1189            #   `projects/bar` has no `Policy` set.
1190            # The constraint at `projects/bar` and `organizations/foo` will not be
1191            # enforced.
1192            #
1193            # Example 2 (enforcement gets replaced):
1194            #   `organizations/foo` has a `Policy` with:
1195            #     {enforced: false}
1196            #   `projects/bar` has a `Policy` with:
1197            #     {enforced: true}
1198            # The constraint at `organizations/foo` is not enforced.
1199            # The constraint at `projects/bar` is enforced.
1200            #
1201            # Example 3 (RestoreDefault):
1202            #   `organizations/foo` has a `Policy` with:
1203            #     {enforced: true}
1204            #   `projects/bar` has a `Policy` with:
1205            #     {RestoreDefault: {}}
1206            # The constraint at `organizations/foo` is enforced.
1207            # The constraint at `projects/bar` is not enforced, because
1208            # `constraint_default` for the `Constraint` is `ALLOW`.
1209      },
1210      "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
1211          # concurrency control.
1212          #
1213          # When the `Policy` is returned from either a `GetPolicy` or a
1214          # `ListOrgPolicy` request, this `etag` indicates the version of the current
1215          # `Policy` to use when executing a read-modify-write loop.
1216          #
1217          # When the `Policy` is returned from a `GetEffectivePolicy` request, the
1218          # `etag` will be unset.
1219          #
1220          # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
1221          # that was returned from a `GetOrgPolicy` request as part of a
1222          # read-modify-write loop for concurrency control. Not setting the `etag`in a
1223          # `SetOrgPolicy` request will result in an unconditional write of the
1224          # `Policy`.
1225    },
1226  }
1227
1228  x__xgafv: string, V1 error format.
1229    Allowed values
1230      1 - v1 error format
1231      2 - v2 error format
1232
1233Returns:
1234  An object of the form:
1235
1236    { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
1237      # for configurations of Cloud Platform resources.
1238    "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
1239        # server, not specified by the caller, and represents the last time a call to
1240        # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
1241        # be ignored.
1242    "version": 42, # Version of the `Policy`. Default version is 0;
1243    "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
1244        # `constraints/serviceuser.services`.
1245        #
1246        # Immutable after creation.
1247    "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
1248        # `Constraint` type.
1249        # `constraint_default` enforcement behavior of the specific `Constraint` at
1250        # this resource.
1251        #
1252        # Suppose that `constraint_default` is set to `ALLOW` for the
1253        # `Constraint` `constraints/serviceuser.services`. Suppose that organization
1254        # foo.com sets a `Policy` at their Organization resource node that restricts
1255        # the allowed service activations to deny all service activations. They
1256        # could then set a `Policy` with the `policy_type` `restore_default` on
1257        # several experimental projects, restoring the `constraint_default`
1258        # enforcement of the `Constraint` for only those projects, allowing those
1259        # projects to have all services activated.
1260    },
1261    "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
1262        # resource.
1263        #
1264        # `ListPolicy` can define specific values and subtrees of Cloud Resource
1265        # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
1266        # are allowed or denied by setting the `allowed_values` and `denied_values`
1267        # fields. This is achieved by using the `under:` and optional `is:` prefixes.
1268        # The `under:` prefix is used to denote resource subtree values.
1269        # The `is:` prefix is used to denote specific values, and is required only
1270        # if the value contains a ":". Values prefixed with "is:" are treated the
1271        # same as values with no prefix.
1272        # Ancestry subtrees must be in one of the following formats:
1273        #     - “projects/<project-id>”, e.g.projects/tokyo-rain-1231274        #     - “folders/<folder-id>”, e.g.folders/12341275        #     - “organizations/<organization-id>”, e.g.organizations/12341276        # The `supports_under` field of the associated `Constraint`  defines whether
1277        # ancestry prefixes can be used. You can set `allowed_values` and
1278        # `denied_values` in the same `Policy` if `all_values` is
1279        # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
1280        # values. If `all_values` is set to either `ALLOW` or `DENY`,
1281        # `allowed_values` and `denied_values` must be unset.
1282      "allValues": "A String", # The policy all_values state.
1283      "allowedValues": [ # List of values allowed  at this resource. Can only be set if `all_values`
1284          # is set to `ALL_VALUES_UNSPECIFIED`.
1285        "A String",
1286      ],
1287      "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
1288          #
1289          # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
1290          # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
1291          # set to `true`, then the values from the effective `Policy` of the parent
1292          # resource are inherited, meaning the values set in this `Policy` are
1293          # added to the values inherited up the hierarchy.
1294          #
1295          # Setting `Policy` hierarchies that inherit both allowed values and denied
1296          # values isn't recommended in most circumstances to keep the configuration
1297          # simple and understandable. However, it is possible to set a `Policy` with
1298          # `allowed_values` set that inherits a `Policy` with `denied_values` set.
1299          # In this case, the values that are allowed must be in `allowed_values` and
1300          # not present in `denied_values`.
1301          #
1302          # For example, suppose you have a `Constraint`
1303          # `constraints/serviceuser.services`, which has a `constraint_type` of
1304          # `list_constraint`, and with `constraint_default` set to `ALLOW`.
1305          # Suppose that at the Organization level, a `Policy` is applied that
1306          # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
1307          # `Policy` is applied to a project below the Organization that has
1308          # `inherit_from_parent` set to `false` and field all_values set to DENY,
1309          # then an attempt to activate any API will be denied.
1310          #
1311          # The following examples demonstrate different possible layerings for
1312          # `projects/bar` parented by `organizations/foo`:
1313          #
1314          # Example 1 (no inherited values):
1315          #   `organizations/foo` has a `Policy` with values:
1316          #     {allowed_values: “E1” allowed_values:”E2”}
1317          #   `projects/bar` has `inherit_from_parent` `false` and values:
1318          #     {allowed_values: "E3" allowed_values: "E4"}
1319          # The accepted values at `organizations/foo` are `E1`, `E2`.
1320          # The accepted values at `projects/bar` are `E3`, and `E4`.
1321          #
1322          # Example 2 (inherited values):
1323          #   `organizations/foo` has a `Policy` with values:
1324          #     {allowed_values: “E1” allowed_values:”E2”}
1325          #   `projects/bar` has a `Policy` with values:
1326          #     {value: “E3” value: ”E4” inherit_from_parent: true}
1327          # The accepted values at `organizations/foo` are `E1`, `E2`.
1328          # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
1329          #
1330          # Example 3 (inheriting both allowed and denied values):
1331          #   `organizations/foo` has a `Policy` with values:
1332          #     {allowed_values: "E1" allowed_values: "E2"}
1333          #   `projects/bar` has a `Policy` with:
1334          #     {denied_values: "E1"}
1335          # The accepted values at `organizations/foo` are `E1`, `E2`.
1336          # The value accepted at `projects/bar` is `E2`.
1337          #
1338          # Example 4 (RestoreDefault):
1339          #   `organizations/foo` has a `Policy` with values:
1340          #     {allowed_values: “E1” allowed_values:”E2”}
1341          #   `projects/bar` has a `Policy` with values:
1342          #     {RestoreDefault: {}}
1343          # The accepted values at `organizations/foo` are `E1`, `E2`.
1344          # The accepted values at `projects/bar` are either all or none depending on
1345          # the value of `constraint_default` (if `ALLOW`, all; if
1346          # `DENY`, none).
1347          #
1348          # Example 5 (no policy inherits parent policy):
1349          #   `organizations/foo` has no `Policy` set.
1350          #   `projects/bar` has no `Policy` set.
1351          # The accepted values at both levels are either all or none depending on
1352          # the value of `constraint_default` (if `ALLOW`, all; if
1353          # `DENY`, none).
1354          #
1355          # Example 6 (ListConstraint allowing all):
1356          #   `organizations/foo` has a `Policy` with values:
1357          #     {allowed_values: “E1” allowed_values: ”E2”}
1358          #   `projects/bar` has a `Policy` with:
1359          #     {all: ALLOW}
1360          # The accepted values at `organizations/foo` are `E1`, E2`.
1361          # Any value is accepted at `projects/bar`.
1362          #
1363          # Example 7 (ListConstraint allowing none):
1364          #   `organizations/foo` has a `Policy` with values:
1365          #     {allowed_values: “E1” allowed_values: ”E2”}
1366          #   `projects/bar` has a `Policy` with:
1367          #     {all: DENY}
1368          # The accepted values at `organizations/foo` are `E1`, E2`.
1369          # No value is accepted at `projects/bar`.
1370          #
1371          # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
1372          # Given the following resource hierarchy
1373          #   O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
1374          #   `organizations/foo` has a `Policy` with values:
1375          #     {allowed_values: "under:organizations/O1"}
1376          #   `projects/bar` has a `Policy` with:
1377          #     {allowed_values: "under:projects/P3"}
1378          #     {denied_values: "under:folders/F2"}
1379          # The accepted values at `organizations/foo` are `organizations/O1`,
1380          #   `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
1381          #   `projects/P3`.
1382          # The accepted values at `projects/bar` are `organizations/O1`,
1383          #   `folders/F1`, `projects/P1`.
1384      "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
1385          # that matches the value specified in this `Policy`. If `suggested_value`
1386          # is not set, it will inherit the value specified higher in the hierarchy,
1387          # unless `inherit_from_parent` is `false`.
1388      "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
1389          # is set to `ALL_VALUES_UNSPECIFIED`.
1390        "A String",
1391      ],
1392    },
1393    "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
1394        # resource.
1395      "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
1396          # configuration is acceptable.
1397          #
1398          # Suppose you have a `Constraint`
1399          # `constraints/compute.disableSerialPortAccess` with `constraint_default`
1400          # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
1401          # behavior:
1402          #   - If the `Policy` at this resource has enforced set to `false`, serial
1403          #     port connection attempts will be allowed.
1404          #   - If the `Policy` at this resource has enforced set to `true`, serial
1405          #     port connection attempts will be refused.
1406          #   - If the `Policy` at this resource is `RestoreDefault`, serial port
1407          #     connection attempts will be allowed.
1408          #   - If no `Policy` is set at this resource or anywhere higher in the
1409          #     resource hierarchy, serial port connection attempts will be allowed.
1410          #   - If no `Policy` is set at this resource, but one exists higher in the
1411          #     resource hierarchy, the behavior is as if the`Policy` were set at
1412          #     this resource.
1413          #
1414          # The following examples demonstrate the different possible layerings:
1415          #
1416          # Example 1 (nearest `Constraint` wins):
1417          #   `organizations/foo` has a `Policy` with:
1418          #     {enforced: false}
1419          #   `projects/bar` has no `Policy` set.
1420          # The constraint at `projects/bar` and `organizations/foo` will not be
1421          # enforced.
1422          #
1423          # Example 2 (enforcement gets replaced):
1424          #   `organizations/foo` has a `Policy` with:
1425          #     {enforced: false}
1426          #   `projects/bar` has a `Policy` with:
1427          #     {enforced: true}
1428          # The constraint at `organizations/foo` is not enforced.
1429          # The constraint at `projects/bar` is enforced.
1430          #
1431          # Example 3 (RestoreDefault):
1432          #   `organizations/foo` has a `Policy` with:
1433          #     {enforced: true}
1434          #   `projects/bar` has a `Policy` with:
1435          #     {RestoreDefault: {}}
1436          # The constraint at `organizations/foo` is enforced.
1437          # The constraint at `projects/bar` is not enforced, because
1438          # `constraint_default` for the `Constraint` is `ALLOW`.
1439    },
1440    "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
1441        # concurrency control.
1442        #
1443        # When the `Policy` is returned from either a `GetPolicy` or a
1444        # `ListOrgPolicy` request, this `etag` indicates the version of the current
1445        # `Policy` to use when executing a read-modify-write loop.
1446        #
1447        # When the `Policy` is returned from a `GetEffectivePolicy` request, the
1448        # `etag` will be unset.
1449        #
1450        # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
1451        # that was returned from a `GetOrgPolicy` request as part of a
1452        # read-modify-write loop for concurrency control. Not setting the `etag`in a
1453        # `SetOrgPolicy` request will result in an unconditional write of the
1454        # `Policy`.
1455  }</pre>
1456</div>
1457
1458</body></html>