1<html><body> 2<style> 3 4body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13} 14 15body { 16 font-size: 13px; 17 padding: 1em; 18} 19 20h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23} 24 25h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28} 29 30h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34} 35 36pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39} 40 41pre { 42 margin-top: 0.5em; 43} 44 45h1, h2, h3, p { 46 font-family: Arial, sans serif; 47} 48 49h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51} 52 53.toc_element { 54 margin-top: 0.5em; 55} 56 57.firstline { 58 margin-left: 2 em; 59} 60 61.method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66} 67 68.details { 69 font-weight: bold; 70 font-size: 14px; 71} 72 73</style> 74 75<h1><a href="cloudresourcemanager_v1.html">Cloud Resource Manager API</a> . <a href="cloudresourcemanager_v1.organizations.html">organizations</a></h1> 76<h2>Instance Methods</h2> 77<p class="toc_element"> 78 <code><a href="#clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 79<p class="firstline">Clears a `Policy` from a resource.</p> 80<p class="toc_element"> 81 <code><a href="#get">get(name, x__xgafv=None)</a></code></p> 82<p class="firstline">Fetches an Organization resource identified by the specified resource name.</p> 83<p class="toc_element"> 84 <code><a href="#getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 85<p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging</p> 86<p class="toc_element"> 87 <code><a href="#getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</a></code></p> 88<p class="firstline">Gets the access control policy for an Organization resource. May be empty</p> 89<p class="toc_element"> 90 <code><a href="#getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 91<p class="firstline">Gets a `Policy` on a resource.</p> 92<p class="toc_element"> 93 <code><a href="#listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</a></code></p> 94<p class="firstline">Lists `Constraints` that could be applied on the specified resource.</p> 95<p class="toc_element"> 96 <code><a href="#listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</a></code></p> 97<p class="firstline">Retrieves the next page of results.</p> 98<p class="toc_element"> 99 <code><a href="#listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</a></code></p> 100<p class="firstline">Lists all the `Policies` set for a particular resource.</p> 101<p class="toc_element"> 102 <code><a href="#listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</a></code></p> 103<p class="firstline">Retrieves the next page of results.</p> 104<p class="toc_element"> 105 <code><a href="#search">search(body, x__xgafv=None)</a></code></p> 106<p class="firstline">Searches Organization resources that are visible to the user and satisfy</p> 107<p class="toc_element"> 108 <code><a href="#search_next">search_next(previous_request, previous_response)</a></code></p> 109<p class="firstline">Retrieves the next page of results.</p> 110<p class="toc_element"> 111 <code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p> 112<p class="firstline">Sets the access control policy on an Organization resource. Replaces any</p> 113<p class="toc_element"> 114 <code><a href="#setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 115<p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for</p> 116<p class="toc_element"> 117 <code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p> 118<p class="firstline">Returns permissions that a caller has on the specified Organization.</p> 119<h3>Method Details</h3> 120<div class="method"> 121 <code class="details" id="clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</code> 122 <pre>Clears a `Policy` from a resource. 123 124Args: 125 resource: string, Name of the resource for the `Policy` to clear. (required) 126 body: object, The request body. (required) 127 The object takes the form of: 128 129{ # The request sent to the ClearOrgPolicy method. 130 "etag": "A String", # The current version, for concurrency control. Not sending an `etag` 131 # will cause the `Policy` to be cleared blindly. 132 "constraint": "A String", # Name of the `Constraint` of the `Policy` to clear. 133 } 134 135 x__xgafv: string, V1 error format. 136 Allowed values 137 1 - v1 error format 138 2 - v2 error format 139 140Returns: 141 An object of the form: 142 143 { # A generic empty message that you can re-use to avoid defining duplicated 144 # empty messages in your APIs. A typical example is to use it as the request 145 # or the response type of an API method. For instance: 146 # 147 # service Foo { 148 # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); 149 # } 150 # 151 # The JSON representation for `Empty` is empty JSON object `{}`. 152 }</pre> 153</div> 154 155<div class="method"> 156 <code class="details" id="get">get(name, x__xgafv=None)</code> 157 <pre>Fetches an Organization resource identified by the specified resource name. 158 159Args: 160 name: string, The resource name of the Organization to fetch. This is the organization's 161relative path in the API, formatted as "organizations/[organizationId]". 162For example, "organizations/1234". (required) 163 x__xgafv: string, V1 error format. 164 Allowed values 165 1 - v1 error format 166 2 - v2 error format 167 168Returns: 169 An object of the form: 170 171 { # The root node in the resource hierarchy to which a particular entity's 172 # (e.g., company) resources belong. 173 "owner": { # The entity that owns an Organization. The lifetime of the Organization and # The owner of this Organization. The owner should be specified on 174 # creation. Once set, it cannot be changed. 175 # This field is required. 176 # all of its descendants are bound to the `OrganizationOwner`. If the 177 # `OrganizationOwner` is deleted, the Organization and all its descendants will 178 # be deleted. 179 "directoryCustomerId": "A String", # The G Suite customer id used in the Directory API. 180 }, 181 "displayName": "A String", # A human-readable string that refers to the Organization in the 182 # GCP Console UI. This string is set by the server and cannot be 183 # changed. The string will be set to the primary domain (for example, 184 # "google.com") of the G Suite customer that owns the organization. 185 # @OutputOnly 186 "creationTime": "A String", # Timestamp when the Organization was created. Assigned by the server. 187 # @OutputOnly 188 "lifecycleState": "A String", # The organization's current lifecycle state. Assigned by the server. 189 # @OutputOnly 190 "name": "A String", # Output Only. The resource name of the organization. This is the 191 # organization's relative path in the API. Its format is 192 # "organizations/[organization_id]". For example, "organizations/1234". 193 }</pre> 194</div> 195 196<div class="method"> 197 <code class="details" id="getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</code> 198 <pre>Gets the effective `Policy` on a resource. This is the result of merging 199`Policies` in the resource hierarchy. The returned `Policy` will not have 200an `etag`set because it is a computed `Policy` across multiple resources. 201Subtrees of Resource Manager resource hierarchy with 'under:' prefix will 202not be expanded. 203 204Args: 205 resource: string, The name of the resource to start computing the effective `Policy`. (required) 206 body: object, The request body. (required) 207 The object takes the form of: 208 209{ # The request sent to the GetEffectiveOrgPolicy method. 210 "constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`. 211 } 212 213 x__xgafv: string, V1 error format. 214 Allowed values 215 1 - v1 error format 216 2 - v2 error format 217 218Returns: 219 An object of the form: 220 221 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 222 # for configurations of Cloud Platform resources. 223 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 224 # server, not specified by the caller, and represents the last time a call to 225 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 226 # be ignored. 227 "version": 42, # Version of the `Policy`. Default version is 0; 228 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 229 # `constraints/serviceuser.services`. 230 # 231 # Immutable after creation. 232 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 233 # `Constraint` type. 234 # `constraint_default` enforcement behavior of the specific `Constraint` at 235 # this resource. 236 # 237 # Suppose that `constraint_default` is set to `ALLOW` for the 238 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 239 # foo.com sets a `Policy` at their Organization resource node that restricts 240 # the allowed service activations to deny all service activations. They 241 # could then set a `Policy` with the `policy_type` `restore_default` on 242 # several experimental projects, restoring the `constraint_default` 243 # enforcement of the `Constraint` for only those projects, allowing those 244 # projects to have all services activated. 245 }, 246 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 247 # resource. 248 # 249 # `ListPolicy` can define specific values and subtrees of Cloud Resource 250 # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that 251 # are allowed or denied by setting the `allowed_values` and `denied_values` 252 # fields. This is achieved by using the `under:` and optional `is:` prefixes. 253 # The `under:` prefix is used to denote resource subtree values. 254 # The `is:` prefix is used to denote specific values, and is required only 255 # if the value contains a ":". Values prefixed with "is:" are treated the 256 # same as values with no prefix. 257 # Ancestry subtrees must be in one of the following formats: 258 # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” 259 # - “folders/<folder-id>”, e.g. “folders/1234” 260 # - “organizations/<organization-id>”, e.g. “organizations/1234” 261 # The `supports_under` field of the associated `Constraint` defines whether 262 # ancestry prefixes can be used. You can set `allowed_values` and 263 # `denied_values` in the same `Policy` if `all_values` is 264 # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all 265 # values. If `all_values` is set to either `ALLOW` or `DENY`, 266 # `allowed_values` and `denied_values` must be unset. 267 "allValues": "A String", # The policy all_values state. 268 "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` 269 # is set to `ALL_VALUES_UNSPECIFIED`. 270 "A String", 271 ], 272 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 273 # 274 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 275 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 276 # set to `true`, then the values from the effective `Policy` of the parent 277 # resource are inherited, meaning the values set in this `Policy` are 278 # added to the values inherited up the hierarchy. 279 # 280 # Setting `Policy` hierarchies that inherit both allowed values and denied 281 # values isn't recommended in most circumstances to keep the configuration 282 # simple and understandable. However, it is possible to set a `Policy` with 283 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 284 # In this case, the values that are allowed must be in `allowed_values` and 285 # not present in `denied_values`. 286 # 287 # For example, suppose you have a `Constraint` 288 # `constraints/serviceuser.services`, which has a `constraint_type` of 289 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 290 # Suppose that at the Organization level, a `Policy` is applied that 291 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 292 # `Policy` is applied to a project below the Organization that has 293 # `inherit_from_parent` set to `false` and field all_values set to DENY, 294 # then an attempt to activate any API will be denied. 295 # 296 # The following examples demonstrate different possible layerings for 297 # `projects/bar` parented by `organizations/foo`: 298 # 299 # Example 1 (no inherited values): 300 # `organizations/foo` has a `Policy` with values: 301 # {allowed_values: “E1” allowed_values:”E2”} 302 # `projects/bar` has `inherit_from_parent` `false` and values: 303 # {allowed_values: "E3" allowed_values: "E4"} 304 # The accepted values at `organizations/foo` are `E1`, `E2`. 305 # The accepted values at `projects/bar` are `E3`, and `E4`. 306 # 307 # Example 2 (inherited values): 308 # `organizations/foo` has a `Policy` with values: 309 # {allowed_values: “E1” allowed_values:”E2”} 310 # `projects/bar` has a `Policy` with values: 311 # {value: “E3” value: ”E4” inherit_from_parent: true} 312 # The accepted values at `organizations/foo` are `E1`, `E2`. 313 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 314 # 315 # Example 3 (inheriting both allowed and denied values): 316 # `organizations/foo` has a `Policy` with values: 317 # {allowed_values: "E1" allowed_values: "E2"} 318 # `projects/bar` has a `Policy` with: 319 # {denied_values: "E1"} 320 # The accepted values at `organizations/foo` are `E1`, `E2`. 321 # The value accepted at `projects/bar` is `E2`. 322 # 323 # Example 4 (RestoreDefault): 324 # `organizations/foo` has a `Policy` with values: 325 # {allowed_values: “E1” allowed_values:”E2”} 326 # `projects/bar` has a `Policy` with values: 327 # {RestoreDefault: {}} 328 # The accepted values at `organizations/foo` are `E1`, `E2`. 329 # The accepted values at `projects/bar` are either all or none depending on 330 # the value of `constraint_default` (if `ALLOW`, all; if 331 # `DENY`, none). 332 # 333 # Example 5 (no policy inherits parent policy): 334 # `organizations/foo` has no `Policy` set. 335 # `projects/bar` has no `Policy` set. 336 # The accepted values at both levels are either all or none depending on 337 # the value of `constraint_default` (if `ALLOW`, all; if 338 # `DENY`, none). 339 # 340 # Example 6 (ListConstraint allowing all): 341 # `organizations/foo` has a `Policy` with values: 342 # {allowed_values: “E1” allowed_values: ”E2”} 343 # `projects/bar` has a `Policy` with: 344 # {all: ALLOW} 345 # The accepted values at `organizations/foo` are `E1`, E2`. 346 # Any value is accepted at `projects/bar`. 347 # 348 # Example 7 (ListConstraint allowing none): 349 # `organizations/foo` has a `Policy` with values: 350 # {allowed_values: “E1” allowed_values: ”E2”} 351 # `projects/bar` has a `Policy` with: 352 # {all: DENY} 353 # The accepted values at `organizations/foo` are `E1`, E2`. 354 # No value is accepted at `projects/bar`. 355 # 356 # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): 357 # Given the following resource hierarchy 358 # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, 359 # `organizations/foo` has a `Policy` with values: 360 # {allowed_values: "under:organizations/O1"} 361 # `projects/bar` has a `Policy` with: 362 # {allowed_values: "under:projects/P3"} 363 # {denied_values: "under:folders/F2"} 364 # The accepted values at `organizations/foo` are `organizations/O1`, 365 # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, 366 # `projects/P3`. 367 # The accepted values at `projects/bar` are `organizations/O1`, 368 # `folders/F1`, `projects/P1`. 369 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 370 # that matches the value specified in this `Policy`. If `suggested_value` 371 # is not set, it will inherit the value specified higher in the hierarchy, 372 # unless `inherit_from_parent` is `false`. 373 "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` 374 # is set to `ALL_VALUES_UNSPECIFIED`. 375 "A String", 376 ], 377 }, 378 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 379 # resource. 380 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 381 # configuration is acceptable. 382 # 383 # Suppose you have a `Constraint` 384 # `constraints/compute.disableSerialPortAccess` with `constraint_default` 385 # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following 386 # behavior: 387 # - If the `Policy` at this resource has enforced set to `false`, serial 388 # port connection attempts will be allowed. 389 # - If the `Policy` at this resource has enforced set to `true`, serial 390 # port connection attempts will be refused. 391 # - If the `Policy` at this resource is `RestoreDefault`, serial port 392 # connection attempts will be allowed. 393 # - If no `Policy` is set at this resource or anywhere higher in the 394 # resource hierarchy, serial port connection attempts will be allowed. 395 # - If no `Policy` is set at this resource, but one exists higher in the 396 # resource hierarchy, the behavior is as if the`Policy` were set at 397 # this resource. 398 # 399 # The following examples demonstrate the different possible layerings: 400 # 401 # Example 1 (nearest `Constraint` wins): 402 # `organizations/foo` has a `Policy` with: 403 # {enforced: false} 404 # `projects/bar` has no `Policy` set. 405 # The constraint at `projects/bar` and `organizations/foo` will not be 406 # enforced. 407 # 408 # Example 2 (enforcement gets replaced): 409 # `organizations/foo` has a `Policy` with: 410 # {enforced: false} 411 # `projects/bar` has a `Policy` with: 412 # {enforced: true} 413 # The constraint at `organizations/foo` is not enforced. 414 # The constraint at `projects/bar` is enforced. 415 # 416 # Example 3 (RestoreDefault): 417 # `organizations/foo` has a `Policy` with: 418 # {enforced: true} 419 # `projects/bar` has a `Policy` with: 420 # {RestoreDefault: {}} 421 # The constraint at `organizations/foo` is enforced. 422 # The constraint at `projects/bar` is not enforced, because 423 # `constraint_default` for the `Constraint` is `ALLOW`. 424 }, 425 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 426 # concurrency control. 427 # 428 # When the `Policy` is returned from either a `GetPolicy` or a 429 # `ListOrgPolicy` request, this `etag` indicates the version of the current 430 # `Policy` to use when executing a read-modify-write loop. 431 # 432 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 433 # `etag` will be unset. 434 # 435 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 436 # that was returned from a `GetOrgPolicy` request as part of a 437 # read-modify-write loop for concurrency control. Not setting the `etag`in a 438 # `SetOrgPolicy` request will result in an unconditional write of the 439 # `Policy`. 440 }</pre> 441</div> 442 443<div class="method"> 444 <code class="details" id="getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</code> 445 <pre>Gets the access control policy for an Organization resource. May be empty 446if no such policy or resource exists. The `resource` field should be the 447organization's resource name, e.g. "organizations/123". 448 449Authorization requires the Google IAM permission 450`resourcemanager.organizations.getIamPolicy` on the specified organization 451 452Args: 453 resource: string, REQUIRED: The resource for which the policy is being requested. 454See the operation documentation for the appropriate value for this field. (required) 455 body: object, The request body. 456 The object takes the form of: 457 458{ # Request message for `GetIamPolicy` method. 459 } 460 461 x__xgafv: string, V1 error format. 462 Allowed values 463 1 - v1 error format 464 2 - v2 error format 465 466Returns: 467 An object of the form: 468 469 { # Defines an Identity and Access Management (IAM) policy. It is used to 470 # specify access control policies for Cloud Platform resources. 471 # 472 # 473 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 474 # `members` to a `role`, where the members can be user accounts, Google groups, 475 # Google domains, and service accounts. A `role` is a named list of permissions 476 # defined by IAM. 477 # 478 # **JSON Example** 479 # 480 # { 481 # "bindings": [ 482 # { 483 # "role": "roles/owner", 484 # "members": [ 485 # "user:mike@example.com", 486 # "group:admins@example.com", 487 # "domain:google.com", 488 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 489 # ] 490 # }, 491 # { 492 # "role": "roles/viewer", 493 # "members": ["user:sean@example.com"] 494 # } 495 # ] 496 # } 497 # 498 # **YAML Example** 499 # 500 # bindings: 501 # - members: 502 # - user:mike@example.com 503 # - group:admins@example.com 504 # - domain:google.com 505 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 506 # role: roles/owner 507 # - members: 508 # - user:sean@example.com 509 # role: roles/viewer 510 # 511 # 512 # For a description of IAM and its features, see the 513 # [IAM developer's guide](https://cloud.google.com/iam/docs). 514 "bindings": [ # Associates a list of `members` to a `role`. 515 # `bindings` with no members will result in an error. 516 { # Associates `members` with a `role`. 517 "role": "A String", # Role that is assigned to `members`. 518 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 519 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 520 # NOTE: An unsatisfied condition will not allow user access via current 521 # binding. Different bindings, including their conditions, are examined 522 # independently. 523 # 524 # title: "User account presence" 525 # description: "Determines whether the request has a user account" 526 # expression: "size(request.user) > 0" 527 "location": "A String", # An optional string indicating the location of the expression for error 528 # reporting, e.g. a file name and a position in the file. 529 "expression": "A String", # Textual representation of an expression in 530 # Common Expression Language syntax. 531 # 532 # The application context of the containing message determines which 533 # well-known feature set of CEL is supported. 534 "description": "A String", # An optional description of the expression. This is a longer text which 535 # describes the expression, e.g. when hovered over it in a UI. 536 "title": "A String", # An optional title for the expression, i.e. a short string describing 537 # its purpose. This can be used e.g. in UIs which allow to enter the 538 # expression. 539 }, 540 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 541 # `members` can have the following values: 542 # 543 # * `allUsers`: A special identifier that represents anyone who is 544 # on the internet; with or without a Google account. 545 # 546 # * `allAuthenticatedUsers`: A special identifier that represents anyone 547 # who is authenticated with a Google account or a service account. 548 # 549 # * `user:{emailid}`: An email address that represents a specific Google 550 # account. For example, `alice@gmail.com` . 551 # 552 # 553 # * `serviceAccount:{emailid}`: An email address that represents a service 554 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 555 # 556 # * `group:{emailid}`: An email address that represents a Google group. 557 # For example, `admins@example.com`. 558 # 559 # 560 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 561 # users of that domain. For example, `google.com` or `example.com`. 562 # 563 "A String", 564 ], 565 }, 566 ], 567 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 568 # prevent simultaneous updates of a policy from overwriting each other. 569 # It is strongly suggested that systems make use of the `etag` in the 570 # read-modify-write cycle to perform policy updates in order to avoid race 571 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 572 # systems are expected to put that etag in the request to `setIamPolicy` to 573 # ensure that their change will be applied to the same version of the policy. 574 # 575 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 576 # policy is overwritten blindly. 577 "version": 42, # Deprecated. 578 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 579 { # Specifies the audit configuration for a service. 580 # The configuration determines which permission types are logged, and what 581 # identities, if any, are exempted from logging. 582 # An AuditConfig must have one or more AuditLogConfigs. 583 # 584 # If there are AuditConfigs for both `allServices` and a specific service, 585 # the union of the two AuditConfigs is used for that service: the log_types 586 # specified in each AuditConfig are enabled, and the exempted_members in each 587 # AuditLogConfig are exempted. 588 # 589 # Example Policy with multiple AuditConfigs: 590 # 591 # { 592 # "audit_configs": [ 593 # { 594 # "service": "allServices" 595 # "audit_log_configs": [ 596 # { 597 # "log_type": "DATA_READ", 598 # "exempted_members": [ 599 # "user:foo@gmail.com" 600 # ] 601 # }, 602 # { 603 # "log_type": "DATA_WRITE", 604 # }, 605 # { 606 # "log_type": "ADMIN_READ", 607 # } 608 # ] 609 # }, 610 # { 611 # "service": "fooservice.googleapis.com" 612 # "audit_log_configs": [ 613 # { 614 # "log_type": "DATA_READ", 615 # }, 616 # { 617 # "log_type": "DATA_WRITE", 618 # "exempted_members": [ 619 # "user:bar@gmail.com" 620 # ] 621 # } 622 # ] 623 # } 624 # ] 625 # } 626 # 627 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 628 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 629 # bar@gmail.com from DATA_WRITE logging. 630 "auditLogConfigs": [ # The configuration for logging of each type of permission. 631 { # Provides the configuration for logging a type of permissions. 632 # Example: 633 # 634 # { 635 # "audit_log_configs": [ 636 # { 637 # "log_type": "DATA_READ", 638 # "exempted_members": [ 639 # "user:foo@gmail.com" 640 # ] 641 # }, 642 # { 643 # "log_type": "DATA_WRITE", 644 # } 645 # ] 646 # } 647 # 648 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 649 # foo@gmail.com from DATA_READ logging. 650 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 651 # permission. 652 # Follows the same format of Binding.members. 653 "A String", 654 ], 655 "logType": "A String", # The log type that this config enables. 656 }, 657 ], 658 "service": "A String", # Specifies a service that will be enabled for audit logging. 659 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 660 # `allServices` is a special value that covers all services. 661 }, 662 ], 663 }</pre> 664</div> 665 666<div class="method"> 667 <code class="details" id="getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</code> 668 <pre>Gets a `Policy` on a resource. 669 670If no `Policy` is set on the resource, a `Policy` is returned with default 671values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The 672`etag` value can be used with `SetOrgPolicy()` to create or update a 673`Policy` during read-modify-write. 674 675Args: 676 resource: string, Name of the resource the `Policy` is set on. (required) 677 body: object, The request body. (required) 678 The object takes the form of: 679 680{ # The request sent to the GetOrgPolicy method. 681 "constraint": "A String", # Name of the `Constraint` to get the `Policy`. 682 } 683 684 x__xgafv: string, V1 error format. 685 Allowed values 686 1 - v1 error format 687 2 - v2 error format 688 689Returns: 690 An object of the form: 691 692 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 693 # for configurations of Cloud Platform resources. 694 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 695 # server, not specified by the caller, and represents the last time a call to 696 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 697 # be ignored. 698 "version": 42, # Version of the `Policy`. Default version is 0; 699 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 700 # `constraints/serviceuser.services`. 701 # 702 # Immutable after creation. 703 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 704 # `Constraint` type. 705 # `constraint_default` enforcement behavior of the specific `Constraint` at 706 # this resource. 707 # 708 # Suppose that `constraint_default` is set to `ALLOW` for the 709 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 710 # foo.com sets a `Policy` at their Organization resource node that restricts 711 # the allowed service activations to deny all service activations. They 712 # could then set a `Policy` with the `policy_type` `restore_default` on 713 # several experimental projects, restoring the `constraint_default` 714 # enforcement of the `Constraint` for only those projects, allowing those 715 # projects to have all services activated. 716 }, 717 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 718 # resource. 719 # 720 # `ListPolicy` can define specific values and subtrees of Cloud Resource 721 # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that 722 # are allowed or denied by setting the `allowed_values` and `denied_values` 723 # fields. This is achieved by using the `under:` and optional `is:` prefixes. 724 # The `under:` prefix is used to denote resource subtree values. 725 # The `is:` prefix is used to denote specific values, and is required only 726 # if the value contains a ":". Values prefixed with "is:" are treated the 727 # same as values with no prefix. 728 # Ancestry subtrees must be in one of the following formats: 729 # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” 730 # - “folders/<folder-id>”, e.g. “folders/1234” 731 # - “organizations/<organization-id>”, e.g. “organizations/1234” 732 # The `supports_under` field of the associated `Constraint` defines whether 733 # ancestry prefixes can be used. You can set `allowed_values` and 734 # `denied_values` in the same `Policy` if `all_values` is 735 # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all 736 # values. If `all_values` is set to either `ALLOW` or `DENY`, 737 # `allowed_values` and `denied_values` must be unset. 738 "allValues": "A String", # The policy all_values state. 739 "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` 740 # is set to `ALL_VALUES_UNSPECIFIED`. 741 "A String", 742 ], 743 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 744 # 745 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 746 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 747 # set to `true`, then the values from the effective `Policy` of the parent 748 # resource are inherited, meaning the values set in this `Policy` are 749 # added to the values inherited up the hierarchy. 750 # 751 # Setting `Policy` hierarchies that inherit both allowed values and denied 752 # values isn't recommended in most circumstances to keep the configuration 753 # simple and understandable. However, it is possible to set a `Policy` with 754 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 755 # In this case, the values that are allowed must be in `allowed_values` and 756 # not present in `denied_values`. 757 # 758 # For example, suppose you have a `Constraint` 759 # `constraints/serviceuser.services`, which has a `constraint_type` of 760 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 761 # Suppose that at the Organization level, a `Policy` is applied that 762 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 763 # `Policy` is applied to a project below the Organization that has 764 # `inherit_from_parent` set to `false` and field all_values set to DENY, 765 # then an attempt to activate any API will be denied. 766 # 767 # The following examples demonstrate different possible layerings for 768 # `projects/bar` parented by `organizations/foo`: 769 # 770 # Example 1 (no inherited values): 771 # `organizations/foo` has a `Policy` with values: 772 # {allowed_values: “E1” allowed_values:”E2”} 773 # `projects/bar` has `inherit_from_parent` `false` and values: 774 # {allowed_values: "E3" allowed_values: "E4"} 775 # The accepted values at `organizations/foo` are `E1`, `E2`. 776 # The accepted values at `projects/bar` are `E3`, and `E4`. 777 # 778 # Example 2 (inherited values): 779 # `organizations/foo` has a `Policy` with values: 780 # {allowed_values: “E1” allowed_values:”E2”} 781 # `projects/bar` has a `Policy` with values: 782 # {value: “E3” value: ”E4” inherit_from_parent: true} 783 # The accepted values at `organizations/foo` are `E1`, `E2`. 784 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 785 # 786 # Example 3 (inheriting both allowed and denied values): 787 # `organizations/foo` has a `Policy` with values: 788 # {allowed_values: "E1" allowed_values: "E2"} 789 # `projects/bar` has a `Policy` with: 790 # {denied_values: "E1"} 791 # The accepted values at `organizations/foo` are `E1`, `E2`. 792 # The value accepted at `projects/bar` is `E2`. 793 # 794 # Example 4 (RestoreDefault): 795 # `organizations/foo` has a `Policy` with values: 796 # {allowed_values: “E1” allowed_values:”E2”} 797 # `projects/bar` has a `Policy` with values: 798 # {RestoreDefault: {}} 799 # The accepted values at `organizations/foo` are `E1`, `E2`. 800 # The accepted values at `projects/bar` are either all or none depending on 801 # the value of `constraint_default` (if `ALLOW`, all; if 802 # `DENY`, none). 803 # 804 # Example 5 (no policy inherits parent policy): 805 # `organizations/foo` has no `Policy` set. 806 # `projects/bar` has no `Policy` set. 807 # The accepted values at both levels are either all or none depending on 808 # the value of `constraint_default` (if `ALLOW`, all; if 809 # `DENY`, none). 810 # 811 # Example 6 (ListConstraint allowing all): 812 # `organizations/foo` has a `Policy` with values: 813 # {allowed_values: “E1” allowed_values: ”E2”} 814 # `projects/bar` has a `Policy` with: 815 # {all: ALLOW} 816 # The accepted values at `organizations/foo` are `E1`, E2`. 817 # Any value is accepted at `projects/bar`. 818 # 819 # Example 7 (ListConstraint allowing none): 820 # `organizations/foo` has a `Policy` with values: 821 # {allowed_values: “E1” allowed_values: ”E2”} 822 # `projects/bar` has a `Policy` with: 823 # {all: DENY} 824 # The accepted values at `organizations/foo` are `E1`, E2`. 825 # No value is accepted at `projects/bar`. 826 # 827 # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): 828 # Given the following resource hierarchy 829 # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, 830 # `organizations/foo` has a `Policy` with values: 831 # {allowed_values: "under:organizations/O1"} 832 # `projects/bar` has a `Policy` with: 833 # {allowed_values: "under:projects/P3"} 834 # {denied_values: "under:folders/F2"} 835 # The accepted values at `organizations/foo` are `organizations/O1`, 836 # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, 837 # `projects/P3`. 838 # The accepted values at `projects/bar` are `organizations/O1`, 839 # `folders/F1`, `projects/P1`. 840 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 841 # that matches the value specified in this `Policy`. If `suggested_value` 842 # is not set, it will inherit the value specified higher in the hierarchy, 843 # unless `inherit_from_parent` is `false`. 844 "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` 845 # is set to `ALL_VALUES_UNSPECIFIED`. 846 "A String", 847 ], 848 }, 849 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 850 # resource. 851 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 852 # configuration is acceptable. 853 # 854 # Suppose you have a `Constraint` 855 # `constraints/compute.disableSerialPortAccess` with `constraint_default` 856 # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following 857 # behavior: 858 # - If the `Policy` at this resource has enforced set to `false`, serial 859 # port connection attempts will be allowed. 860 # - If the `Policy` at this resource has enforced set to `true`, serial 861 # port connection attempts will be refused. 862 # - If the `Policy` at this resource is `RestoreDefault`, serial port 863 # connection attempts will be allowed. 864 # - If no `Policy` is set at this resource or anywhere higher in the 865 # resource hierarchy, serial port connection attempts will be allowed. 866 # - If no `Policy` is set at this resource, but one exists higher in the 867 # resource hierarchy, the behavior is as if the`Policy` were set at 868 # this resource. 869 # 870 # The following examples demonstrate the different possible layerings: 871 # 872 # Example 1 (nearest `Constraint` wins): 873 # `organizations/foo` has a `Policy` with: 874 # {enforced: false} 875 # `projects/bar` has no `Policy` set. 876 # The constraint at `projects/bar` and `organizations/foo` will not be 877 # enforced. 878 # 879 # Example 2 (enforcement gets replaced): 880 # `organizations/foo` has a `Policy` with: 881 # {enforced: false} 882 # `projects/bar` has a `Policy` with: 883 # {enforced: true} 884 # The constraint at `organizations/foo` is not enforced. 885 # The constraint at `projects/bar` is enforced. 886 # 887 # Example 3 (RestoreDefault): 888 # `organizations/foo` has a `Policy` with: 889 # {enforced: true} 890 # `projects/bar` has a `Policy` with: 891 # {RestoreDefault: {}} 892 # The constraint at `organizations/foo` is enforced. 893 # The constraint at `projects/bar` is not enforced, because 894 # `constraint_default` for the `Constraint` is `ALLOW`. 895 }, 896 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 897 # concurrency control. 898 # 899 # When the `Policy` is returned from either a `GetPolicy` or a 900 # `ListOrgPolicy` request, this `etag` indicates the version of the current 901 # `Policy` to use when executing a read-modify-write loop. 902 # 903 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 904 # `etag` will be unset. 905 # 906 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 907 # that was returned from a `GetOrgPolicy` request as part of a 908 # read-modify-write loop for concurrency control. Not setting the `etag`in a 909 # `SetOrgPolicy` request will result in an unconditional write of the 910 # `Policy`. 911 }</pre> 912</div> 913 914<div class="method"> 915 <code class="details" id="listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</code> 916 <pre>Lists `Constraints` that could be applied on the specified resource. 917 918Args: 919 resource: string, Name of the resource to list `Constraints` for. (required) 920 body: object, The request body. (required) 921 The object takes the form of: 922 923{ # The request sent to the [ListAvailableOrgPolicyConstraints] 924 # google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method. 925 "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported 926 # and will be ignored. The server may at any point start using this field. 927 "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will 928 # be ignored. The server may at any point start using this field to limit 929 # page size. 930 } 931 932 x__xgafv: string, V1 error format. 933 Allowed values 934 1 - v1 error format 935 2 - v2 error format 936 937Returns: 938 An object of the form: 939 940 { # The response returned from the ListAvailableOrgPolicyConstraints method. 941 # Returns all `Constraints` that could be set at this level of the hierarchy 942 # (contrast with the response from `ListPolicies`, which returns all policies 943 # which are set). 944 "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used. 945 "constraints": [ # The collection of constraints that are settable on the request resource. 946 { # A `Constraint` describes a way in which a resource's configuration can be 947 # restricted. For example, it controls which cloud services can be activated 948 # across an organization, or whether a Compute Engine instance can have 949 # serial port connections established. `Constraints` can be configured by the 950 # organization's policy adminstrator to fit the needs of the organzation by 951 # setting Policies for `Constraints` at different locations in the 952 # organization's resource hierarchy. Policies are inherited down the resource 953 # hierarchy from higher levels, but can also be overridden. For details about 954 # the inheritance rules please read about 955 # Policies. 956 # 957 # `Constraints` have a default behavior determined by the `constraint_default` 958 # field, which is the enforcement behavior that is used in the absence of a 959 # `Policy` being defined or inherited for the resource in question. 960 "constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'. 961 "displayName": "A String", # The human readable name. 962 # 963 # Mutable. 964 "name": "A String", # Immutable value, required to globally be unique. For example, 965 # `constraints/serviceuser.services` 966 "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint. 967 # 968 # For example a constraint `constraints/compute.disableSerialPortAccess`. 969 # If it is enforced on a VM instance, serial port connections will not be 970 # opened to that instance. 971 }, 972 "version": 42, # Version of the `Constraint`. Default version is 0; 973 "listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint. 974 # configured by an Organization's policy administrator with a `Policy`. 975 "supportsUnder": True or False, # Indicates whether subtrees of Cloud Resource Manager resource hierarchy 976 # can be used in `Policy.allowed_values` and `Policy.denied_values`. For 977 # example, `"under:folders/123"` would match any resource under the 978 # 'folders/123' folder. 979 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 980 # that matches the value specified in this `Constraint`. 981 }, 982 "description": "A String", # Detailed description of what this `Constraint` controls as well as how and 983 # where it is enforced. 984 # 985 # Mutable. 986 }, 987 ], 988 }</pre> 989</div> 990 991<div class="method"> 992 <code class="details" id="listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</code> 993 <pre>Retrieves the next page of results. 994 995Args: 996 previous_request: The request for the previous page. (required) 997 previous_response: The response from the request for the previous page. (required) 998 999Returns: 1000 A request object that you can call 'execute()' on to request the next 1001 page. Returns None if there are no more items in the collection. 1002 </pre> 1003</div> 1004 1005<div class="method"> 1006 <code class="details" id="listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</code> 1007 <pre>Lists all the `Policies` set for a particular resource. 1008 1009Args: 1010 resource: string, Name of the resource to list Policies for. (required) 1011 body: object, The request body. (required) 1012 The object takes the form of: 1013 1014{ # The request sent to the ListOrgPolicies method. 1015 "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported 1016 # and will be ignored. The server may at any point start using this field. 1017 "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will 1018 # be ignored. The server may at any point start using this field to limit 1019 # page size. 1020 } 1021 1022 x__xgafv: string, V1 error format. 1023 Allowed values 1024 1 - v1 error format 1025 2 - v2 error format 1026 1027Returns: 1028 An object of the form: 1029 1030 { # The response returned from the ListOrgPolicies method. It will be empty 1031 # if no `Policies` are set on the resource. 1032 "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but 1033 # the server may at any point start supplying a valid token. 1034 "policies": [ # The `Policies` that are set on the resource. It will be empty if no 1035 # `Policies` are set. 1036 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 1037 # for configurations of Cloud Platform resources. 1038 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 1039 # server, not specified by the caller, and represents the last time a call to 1040 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 1041 # be ignored. 1042 "version": 42, # Version of the `Policy`. Default version is 0; 1043 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 1044 # `constraints/serviceuser.services`. 1045 # 1046 # Immutable after creation. 1047 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 1048 # `Constraint` type. 1049 # `constraint_default` enforcement behavior of the specific `Constraint` at 1050 # this resource. 1051 # 1052 # Suppose that `constraint_default` is set to `ALLOW` for the 1053 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 1054 # foo.com sets a `Policy` at their Organization resource node that restricts 1055 # the allowed service activations to deny all service activations. They 1056 # could then set a `Policy` with the `policy_type` `restore_default` on 1057 # several experimental projects, restoring the `constraint_default` 1058 # enforcement of the `Constraint` for only those projects, allowing those 1059 # projects to have all services activated. 1060 }, 1061 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 1062 # resource. 1063 # 1064 # `ListPolicy` can define specific values and subtrees of Cloud Resource 1065 # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that 1066 # are allowed or denied by setting the `allowed_values` and `denied_values` 1067 # fields. This is achieved by using the `under:` and optional `is:` prefixes. 1068 # The `under:` prefix is used to denote resource subtree values. 1069 # The `is:` prefix is used to denote specific values, and is required only 1070 # if the value contains a ":". Values prefixed with "is:" are treated the 1071 # same as values with no prefix. 1072 # Ancestry subtrees must be in one of the following formats: 1073 # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” 1074 # - “folders/<folder-id>”, e.g. “folders/1234” 1075 # - “organizations/<organization-id>”, e.g. “organizations/1234” 1076 # The `supports_under` field of the associated `Constraint` defines whether 1077 # ancestry prefixes can be used. You can set `allowed_values` and 1078 # `denied_values` in the same `Policy` if `all_values` is 1079 # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all 1080 # values. If `all_values` is set to either `ALLOW` or `DENY`, 1081 # `allowed_values` and `denied_values` must be unset. 1082 "allValues": "A String", # The policy all_values state. 1083 "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` 1084 # is set to `ALL_VALUES_UNSPECIFIED`. 1085 "A String", 1086 ], 1087 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 1088 # 1089 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 1090 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 1091 # set to `true`, then the values from the effective `Policy` of the parent 1092 # resource are inherited, meaning the values set in this `Policy` are 1093 # added to the values inherited up the hierarchy. 1094 # 1095 # Setting `Policy` hierarchies that inherit both allowed values and denied 1096 # values isn't recommended in most circumstances to keep the configuration 1097 # simple and understandable. However, it is possible to set a `Policy` with 1098 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 1099 # In this case, the values that are allowed must be in `allowed_values` and 1100 # not present in `denied_values`. 1101 # 1102 # For example, suppose you have a `Constraint` 1103 # `constraints/serviceuser.services`, which has a `constraint_type` of 1104 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 1105 # Suppose that at the Organization level, a `Policy` is applied that 1106 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 1107 # `Policy` is applied to a project below the Organization that has 1108 # `inherit_from_parent` set to `false` and field all_values set to DENY, 1109 # then an attempt to activate any API will be denied. 1110 # 1111 # The following examples demonstrate different possible layerings for 1112 # `projects/bar` parented by `organizations/foo`: 1113 # 1114 # Example 1 (no inherited values): 1115 # `organizations/foo` has a `Policy` with values: 1116 # {allowed_values: “E1” allowed_values:”E2”} 1117 # `projects/bar` has `inherit_from_parent` `false` and values: 1118 # {allowed_values: "E3" allowed_values: "E4"} 1119 # The accepted values at `organizations/foo` are `E1`, `E2`. 1120 # The accepted values at `projects/bar` are `E3`, and `E4`. 1121 # 1122 # Example 2 (inherited values): 1123 # `organizations/foo` has a `Policy` with values: 1124 # {allowed_values: “E1” allowed_values:”E2”} 1125 # `projects/bar` has a `Policy` with values: 1126 # {value: “E3” value: ”E4” inherit_from_parent: true} 1127 # The accepted values at `organizations/foo` are `E1`, `E2`. 1128 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 1129 # 1130 # Example 3 (inheriting both allowed and denied values): 1131 # `organizations/foo` has a `Policy` with values: 1132 # {allowed_values: "E1" allowed_values: "E2"} 1133 # `projects/bar` has a `Policy` with: 1134 # {denied_values: "E1"} 1135 # The accepted values at `organizations/foo` are `E1`, `E2`. 1136 # The value accepted at `projects/bar` is `E2`. 1137 # 1138 # Example 4 (RestoreDefault): 1139 # `organizations/foo` has a `Policy` with values: 1140 # {allowed_values: “E1” allowed_values:”E2”} 1141 # `projects/bar` has a `Policy` with values: 1142 # {RestoreDefault: {}} 1143 # The accepted values at `organizations/foo` are `E1`, `E2`. 1144 # The accepted values at `projects/bar` are either all or none depending on 1145 # the value of `constraint_default` (if `ALLOW`, all; if 1146 # `DENY`, none). 1147 # 1148 # Example 5 (no policy inherits parent policy): 1149 # `organizations/foo` has no `Policy` set. 1150 # `projects/bar` has no `Policy` set. 1151 # The accepted values at both levels are either all or none depending on 1152 # the value of `constraint_default` (if `ALLOW`, all; if 1153 # `DENY`, none). 1154 # 1155 # Example 6 (ListConstraint allowing all): 1156 # `organizations/foo` has a `Policy` with values: 1157 # {allowed_values: “E1” allowed_values: ”E2”} 1158 # `projects/bar` has a `Policy` with: 1159 # {all: ALLOW} 1160 # The accepted values at `organizations/foo` are `E1`, E2`. 1161 # Any value is accepted at `projects/bar`. 1162 # 1163 # Example 7 (ListConstraint allowing none): 1164 # `organizations/foo` has a `Policy` with values: 1165 # {allowed_values: “E1” allowed_values: ”E2”} 1166 # `projects/bar` has a `Policy` with: 1167 # {all: DENY} 1168 # The accepted values at `organizations/foo` are `E1`, E2`. 1169 # No value is accepted at `projects/bar`. 1170 # 1171 # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): 1172 # Given the following resource hierarchy 1173 # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, 1174 # `organizations/foo` has a `Policy` with values: 1175 # {allowed_values: "under:organizations/O1"} 1176 # `projects/bar` has a `Policy` with: 1177 # {allowed_values: "under:projects/P3"} 1178 # {denied_values: "under:folders/F2"} 1179 # The accepted values at `organizations/foo` are `organizations/O1`, 1180 # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, 1181 # `projects/P3`. 1182 # The accepted values at `projects/bar` are `organizations/O1`, 1183 # `folders/F1`, `projects/P1`. 1184 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 1185 # that matches the value specified in this `Policy`. If `suggested_value` 1186 # is not set, it will inherit the value specified higher in the hierarchy, 1187 # unless `inherit_from_parent` is `false`. 1188 "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` 1189 # is set to `ALL_VALUES_UNSPECIFIED`. 1190 "A String", 1191 ], 1192 }, 1193 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 1194 # resource. 1195 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 1196 # configuration is acceptable. 1197 # 1198 # Suppose you have a `Constraint` 1199 # `constraints/compute.disableSerialPortAccess` with `constraint_default` 1200 # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following 1201 # behavior: 1202 # - If the `Policy` at this resource has enforced set to `false`, serial 1203 # port connection attempts will be allowed. 1204 # - If the `Policy` at this resource has enforced set to `true`, serial 1205 # port connection attempts will be refused. 1206 # - If the `Policy` at this resource is `RestoreDefault`, serial port 1207 # connection attempts will be allowed. 1208 # - If no `Policy` is set at this resource or anywhere higher in the 1209 # resource hierarchy, serial port connection attempts will be allowed. 1210 # - If no `Policy` is set at this resource, but one exists higher in the 1211 # resource hierarchy, the behavior is as if the`Policy` were set at 1212 # this resource. 1213 # 1214 # The following examples demonstrate the different possible layerings: 1215 # 1216 # Example 1 (nearest `Constraint` wins): 1217 # `organizations/foo` has a `Policy` with: 1218 # {enforced: false} 1219 # `projects/bar` has no `Policy` set. 1220 # The constraint at `projects/bar` and `organizations/foo` will not be 1221 # enforced. 1222 # 1223 # Example 2 (enforcement gets replaced): 1224 # `organizations/foo` has a `Policy` with: 1225 # {enforced: false} 1226 # `projects/bar` has a `Policy` with: 1227 # {enforced: true} 1228 # The constraint at `organizations/foo` is not enforced. 1229 # The constraint at `projects/bar` is enforced. 1230 # 1231 # Example 3 (RestoreDefault): 1232 # `organizations/foo` has a `Policy` with: 1233 # {enforced: true} 1234 # `projects/bar` has a `Policy` with: 1235 # {RestoreDefault: {}} 1236 # The constraint at `organizations/foo` is enforced. 1237 # The constraint at `projects/bar` is not enforced, because 1238 # `constraint_default` for the `Constraint` is `ALLOW`. 1239 }, 1240 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 1241 # concurrency control. 1242 # 1243 # When the `Policy` is returned from either a `GetPolicy` or a 1244 # `ListOrgPolicy` request, this `etag` indicates the version of the current 1245 # `Policy` to use when executing a read-modify-write loop. 1246 # 1247 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 1248 # `etag` will be unset. 1249 # 1250 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 1251 # that was returned from a `GetOrgPolicy` request as part of a 1252 # read-modify-write loop for concurrency control. Not setting the `etag`in a 1253 # `SetOrgPolicy` request will result in an unconditional write of the 1254 # `Policy`. 1255 }, 1256 ], 1257 }</pre> 1258</div> 1259 1260<div class="method"> 1261 <code class="details" id="listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</code> 1262 <pre>Retrieves the next page of results. 1263 1264Args: 1265 previous_request: The request for the previous page. (required) 1266 previous_response: The response from the request for the previous page. (required) 1267 1268Returns: 1269 A request object that you can call 'execute()' on to request the next 1270 page. Returns None if there are no more items in the collection. 1271 </pre> 1272</div> 1273 1274<div class="method"> 1275 <code class="details" id="search">search(body, x__xgafv=None)</code> 1276 <pre>Searches Organization resources that are visible to the user and satisfy 1277the specified filter. This method returns Organizations in an unspecified 1278order. New Organizations do not necessarily appear at the end of the 1279results. 1280 1281Search will only return organizations on which the user has the permission 1282`resourcemanager.organizations.get` 1283 1284Args: 1285 body: object, The request body. (required) 1286 The object takes the form of: 1287 1288{ # The request sent to the `SearchOrganizations` method. 1289 "filter": "A String", # An optional query string used to filter the Organizations to return in 1290 # the response. Filter rules are case-insensitive. 1291 # 1292 # 1293 # Organizations may be filtered by `owner.directoryCustomerId` or by 1294 # `domain`, where the domain is a G Suite domain, for example: 1295 # 1296 # clang-format off 1297 # | Filter | Description | 1298 # |-------------------------------------|----------------------------------| 1299 # | owner.directorycustomerid:123456789 | Organizations with `owner.directory_customer_id` equal to `123456789`.| 1300 # | domain:google.com | Organizations corresponding to the domain `google.com`.| 1301 # clang-format on 1302 # 1303 # This field is optional. 1304 "pageToken": "A String", # A pagination token returned from a previous call to `SearchOrganizations` 1305 # that indicates from where listing should continue. 1306 # This field is optional. 1307 "pageSize": 42, # The maximum number of Organizations to return in the response. 1308 # This field is optional. 1309 } 1310 1311 x__xgafv: string, V1 error format. 1312 Allowed values 1313 1 - v1 error format 1314 2 - v2 error format 1315 1316Returns: 1317 An object of the form: 1318 1319 { # The response returned from the `SearchOrganizations` method. 1320 "nextPageToken": "A String", # A pagination token to be used to retrieve the next page of results. If the 1321 # result is too large to fit within the page size specified in the request, 1322 # this field will be set with a token that can be used to fetch the next page 1323 # of results. If this field is empty, it indicates that this response 1324 # contains the last page of results. 1325 "organizations": [ # The list of Organizations that matched the search query, possibly 1326 # paginated. 1327 { # The root node in the resource hierarchy to which a particular entity's 1328 # (e.g., company) resources belong. 1329 "owner": { # The entity that owns an Organization. The lifetime of the Organization and # The owner of this Organization. The owner should be specified on 1330 # creation. Once set, it cannot be changed. 1331 # This field is required. 1332 # all of its descendants are bound to the `OrganizationOwner`. If the 1333 # `OrganizationOwner` is deleted, the Organization and all its descendants will 1334 # be deleted. 1335 "directoryCustomerId": "A String", # The G Suite customer id used in the Directory API. 1336 }, 1337 "displayName": "A String", # A human-readable string that refers to the Organization in the 1338 # GCP Console UI. This string is set by the server and cannot be 1339 # changed. The string will be set to the primary domain (for example, 1340 # "google.com") of the G Suite customer that owns the organization. 1341 # @OutputOnly 1342 "creationTime": "A String", # Timestamp when the Organization was created. Assigned by the server. 1343 # @OutputOnly 1344 "lifecycleState": "A String", # The organization's current lifecycle state. Assigned by the server. 1345 # @OutputOnly 1346 "name": "A String", # Output Only. The resource name of the organization. This is the 1347 # organization's relative path in the API. Its format is 1348 # "organizations/[organization_id]". For example, "organizations/1234". 1349 }, 1350 ], 1351 }</pre> 1352</div> 1353 1354<div class="method"> 1355 <code class="details" id="search_next">search_next(previous_request, previous_response)</code> 1356 <pre>Retrieves the next page of results. 1357 1358Args: 1359 previous_request: The request for the previous page. (required) 1360 previous_response: The response from the request for the previous page. (required) 1361 1362Returns: 1363 A request object that you can call 'execute()' on to request the next 1364 page. Returns None if there are no more items in the collection. 1365 </pre> 1366</div> 1367 1368<div class="method"> 1369 <code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code> 1370 <pre>Sets the access control policy on an Organization resource. Replaces any 1371existing policy. The `resource` field should be the organization's resource 1372name, e.g. "organizations/123". 1373 1374Authorization requires the Google IAM permission 1375`resourcemanager.organizations.setIamPolicy` on the specified organization 1376 1377Args: 1378 resource: string, REQUIRED: The resource for which the policy is being specified. 1379See the operation documentation for the appropriate value for this field. (required) 1380 body: object, The request body. (required) 1381 The object takes the form of: 1382 1383{ # Request message for `SetIamPolicy` method. 1384 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of 1385 # the policy is limited to a few 10s of KB. An empty policy is a 1386 # valid policy but certain Cloud Platform services (such as Projects) 1387 # might reject them. 1388 # specify access control policies for Cloud Platform resources. 1389 # 1390 # 1391 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 1392 # `members` to a `role`, where the members can be user accounts, Google groups, 1393 # Google domains, and service accounts. A `role` is a named list of permissions 1394 # defined by IAM. 1395 # 1396 # **JSON Example** 1397 # 1398 # { 1399 # "bindings": [ 1400 # { 1401 # "role": "roles/owner", 1402 # "members": [ 1403 # "user:mike@example.com", 1404 # "group:admins@example.com", 1405 # "domain:google.com", 1406 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 1407 # ] 1408 # }, 1409 # { 1410 # "role": "roles/viewer", 1411 # "members": ["user:sean@example.com"] 1412 # } 1413 # ] 1414 # } 1415 # 1416 # **YAML Example** 1417 # 1418 # bindings: 1419 # - members: 1420 # - user:mike@example.com 1421 # - group:admins@example.com 1422 # - domain:google.com 1423 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 1424 # role: roles/owner 1425 # - members: 1426 # - user:sean@example.com 1427 # role: roles/viewer 1428 # 1429 # 1430 # For a description of IAM and its features, see the 1431 # [IAM developer's guide](https://cloud.google.com/iam/docs). 1432 "bindings": [ # Associates a list of `members` to a `role`. 1433 # `bindings` with no members will result in an error. 1434 { # Associates `members` with a `role`. 1435 "role": "A String", # Role that is assigned to `members`. 1436 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 1437 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 1438 # NOTE: An unsatisfied condition will not allow user access via current 1439 # binding. Different bindings, including their conditions, are examined 1440 # independently. 1441 # 1442 # title: "User account presence" 1443 # description: "Determines whether the request has a user account" 1444 # expression: "size(request.user) > 0" 1445 "location": "A String", # An optional string indicating the location of the expression for error 1446 # reporting, e.g. a file name and a position in the file. 1447 "expression": "A String", # Textual representation of an expression in 1448 # Common Expression Language syntax. 1449 # 1450 # The application context of the containing message determines which 1451 # well-known feature set of CEL is supported. 1452 "description": "A String", # An optional description of the expression. This is a longer text which 1453 # describes the expression, e.g. when hovered over it in a UI. 1454 "title": "A String", # An optional title for the expression, i.e. a short string describing 1455 # its purpose. This can be used e.g. in UIs which allow to enter the 1456 # expression. 1457 }, 1458 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 1459 # `members` can have the following values: 1460 # 1461 # * `allUsers`: A special identifier that represents anyone who is 1462 # on the internet; with or without a Google account. 1463 # 1464 # * `allAuthenticatedUsers`: A special identifier that represents anyone 1465 # who is authenticated with a Google account or a service account. 1466 # 1467 # * `user:{emailid}`: An email address that represents a specific Google 1468 # account. For example, `alice@gmail.com` . 1469 # 1470 # 1471 # * `serviceAccount:{emailid}`: An email address that represents a service 1472 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 1473 # 1474 # * `group:{emailid}`: An email address that represents a Google group. 1475 # For example, `admins@example.com`. 1476 # 1477 # 1478 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 1479 # users of that domain. For example, `google.com` or `example.com`. 1480 # 1481 "A String", 1482 ], 1483 }, 1484 ], 1485 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 1486 # prevent simultaneous updates of a policy from overwriting each other. 1487 # It is strongly suggested that systems make use of the `etag` in the 1488 # read-modify-write cycle to perform policy updates in order to avoid race 1489 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 1490 # systems are expected to put that etag in the request to `setIamPolicy` to 1491 # ensure that their change will be applied to the same version of the policy. 1492 # 1493 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 1494 # policy is overwritten blindly. 1495 "version": 42, # Deprecated. 1496 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 1497 { # Specifies the audit configuration for a service. 1498 # The configuration determines which permission types are logged, and what 1499 # identities, if any, are exempted from logging. 1500 # An AuditConfig must have one or more AuditLogConfigs. 1501 # 1502 # If there are AuditConfigs for both `allServices` and a specific service, 1503 # the union of the two AuditConfigs is used for that service: the log_types 1504 # specified in each AuditConfig are enabled, and the exempted_members in each 1505 # AuditLogConfig are exempted. 1506 # 1507 # Example Policy with multiple AuditConfigs: 1508 # 1509 # { 1510 # "audit_configs": [ 1511 # { 1512 # "service": "allServices" 1513 # "audit_log_configs": [ 1514 # { 1515 # "log_type": "DATA_READ", 1516 # "exempted_members": [ 1517 # "user:foo@gmail.com" 1518 # ] 1519 # }, 1520 # { 1521 # "log_type": "DATA_WRITE", 1522 # }, 1523 # { 1524 # "log_type": "ADMIN_READ", 1525 # } 1526 # ] 1527 # }, 1528 # { 1529 # "service": "fooservice.googleapis.com" 1530 # "audit_log_configs": [ 1531 # { 1532 # "log_type": "DATA_READ", 1533 # }, 1534 # { 1535 # "log_type": "DATA_WRITE", 1536 # "exempted_members": [ 1537 # "user:bar@gmail.com" 1538 # ] 1539 # } 1540 # ] 1541 # } 1542 # ] 1543 # } 1544 # 1545 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 1546 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 1547 # bar@gmail.com from DATA_WRITE logging. 1548 "auditLogConfigs": [ # The configuration for logging of each type of permission. 1549 { # Provides the configuration for logging a type of permissions. 1550 # Example: 1551 # 1552 # { 1553 # "audit_log_configs": [ 1554 # { 1555 # "log_type": "DATA_READ", 1556 # "exempted_members": [ 1557 # "user:foo@gmail.com" 1558 # ] 1559 # }, 1560 # { 1561 # "log_type": "DATA_WRITE", 1562 # } 1563 # ] 1564 # } 1565 # 1566 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 1567 # foo@gmail.com from DATA_READ logging. 1568 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 1569 # permission. 1570 # Follows the same format of Binding.members. 1571 "A String", 1572 ], 1573 "logType": "A String", # The log type that this config enables. 1574 }, 1575 ], 1576 "service": "A String", # Specifies a service that will be enabled for audit logging. 1577 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 1578 # `allServices` is a special value that covers all services. 1579 }, 1580 ], 1581 }, 1582 "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only 1583 # the fields in the mask will be modified. If no mask is provided, the 1584 # following default mask is used: 1585 # paths: "bindings, etag" 1586 # This field is only used by Cloud IAM. 1587 } 1588 1589 x__xgafv: string, V1 error format. 1590 Allowed values 1591 1 - v1 error format 1592 2 - v2 error format 1593 1594Returns: 1595 An object of the form: 1596 1597 { # Defines an Identity and Access Management (IAM) policy. It is used to 1598 # specify access control policies for Cloud Platform resources. 1599 # 1600 # 1601 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 1602 # `members` to a `role`, where the members can be user accounts, Google groups, 1603 # Google domains, and service accounts. A `role` is a named list of permissions 1604 # defined by IAM. 1605 # 1606 # **JSON Example** 1607 # 1608 # { 1609 # "bindings": [ 1610 # { 1611 # "role": "roles/owner", 1612 # "members": [ 1613 # "user:mike@example.com", 1614 # "group:admins@example.com", 1615 # "domain:google.com", 1616 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 1617 # ] 1618 # }, 1619 # { 1620 # "role": "roles/viewer", 1621 # "members": ["user:sean@example.com"] 1622 # } 1623 # ] 1624 # } 1625 # 1626 # **YAML Example** 1627 # 1628 # bindings: 1629 # - members: 1630 # - user:mike@example.com 1631 # - group:admins@example.com 1632 # - domain:google.com 1633 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 1634 # role: roles/owner 1635 # - members: 1636 # - user:sean@example.com 1637 # role: roles/viewer 1638 # 1639 # 1640 # For a description of IAM and its features, see the 1641 # [IAM developer's guide](https://cloud.google.com/iam/docs). 1642 "bindings": [ # Associates a list of `members` to a `role`. 1643 # `bindings` with no members will result in an error. 1644 { # Associates `members` with a `role`. 1645 "role": "A String", # Role that is assigned to `members`. 1646 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 1647 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 1648 # NOTE: An unsatisfied condition will not allow user access via current 1649 # binding. Different bindings, including their conditions, are examined 1650 # independently. 1651 # 1652 # title: "User account presence" 1653 # description: "Determines whether the request has a user account" 1654 # expression: "size(request.user) > 0" 1655 "location": "A String", # An optional string indicating the location of the expression for error 1656 # reporting, e.g. a file name and a position in the file. 1657 "expression": "A String", # Textual representation of an expression in 1658 # Common Expression Language syntax. 1659 # 1660 # The application context of the containing message determines which 1661 # well-known feature set of CEL is supported. 1662 "description": "A String", # An optional description of the expression. This is a longer text which 1663 # describes the expression, e.g. when hovered over it in a UI. 1664 "title": "A String", # An optional title for the expression, i.e. a short string describing 1665 # its purpose. This can be used e.g. in UIs which allow to enter the 1666 # expression. 1667 }, 1668 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 1669 # `members` can have the following values: 1670 # 1671 # * `allUsers`: A special identifier that represents anyone who is 1672 # on the internet; with or without a Google account. 1673 # 1674 # * `allAuthenticatedUsers`: A special identifier that represents anyone 1675 # who is authenticated with a Google account or a service account. 1676 # 1677 # * `user:{emailid}`: An email address that represents a specific Google 1678 # account. For example, `alice@gmail.com` . 1679 # 1680 # 1681 # * `serviceAccount:{emailid}`: An email address that represents a service 1682 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 1683 # 1684 # * `group:{emailid}`: An email address that represents a Google group. 1685 # For example, `admins@example.com`. 1686 # 1687 # 1688 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 1689 # users of that domain. For example, `google.com` or `example.com`. 1690 # 1691 "A String", 1692 ], 1693 }, 1694 ], 1695 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 1696 # prevent simultaneous updates of a policy from overwriting each other. 1697 # It is strongly suggested that systems make use of the `etag` in the 1698 # read-modify-write cycle to perform policy updates in order to avoid race 1699 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 1700 # systems are expected to put that etag in the request to `setIamPolicy` to 1701 # ensure that their change will be applied to the same version of the policy. 1702 # 1703 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 1704 # policy is overwritten blindly. 1705 "version": 42, # Deprecated. 1706 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 1707 { # Specifies the audit configuration for a service. 1708 # The configuration determines which permission types are logged, and what 1709 # identities, if any, are exempted from logging. 1710 # An AuditConfig must have one or more AuditLogConfigs. 1711 # 1712 # If there are AuditConfigs for both `allServices` and a specific service, 1713 # the union of the two AuditConfigs is used for that service: the log_types 1714 # specified in each AuditConfig are enabled, and the exempted_members in each 1715 # AuditLogConfig are exempted. 1716 # 1717 # Example Policy with multiple AuditConfigs: 1718 # 1719 # { 1720 # "audit_configs": [ 1721 # { 1722 # "service": "allServices" 1723 # "audit_log_configs": [ 1724 # { 1725 # "log_type": "DATA_READ", 1726 # "exempted_members": [ 1727 # "user:foo@gmail.com" 1728 # ] 1729 # }, 1730 # { 1731 # "log_type": "DATA_WRITE", 1732 # }, 1733 # { 1734 # "log_type": "ADMIN_READ", 1735 # } 1736 # ] 1737 # }, 1738 # { 1739 # "service": "fooservice.googleapis.com" 1740 # "audit_log_configs": [ 1741 # { 1742 # "log_type": "DATA_READ", 1743 # }, 1744 # { 1745 # "log_type": "DATA_WRITE", 1746 # "exempted_members": [ 1747 # "user:bar@gmail.com" 1748 # ] 1749 # } 1750 # ] 1751 # } 1752 # ] 1753 # } 1754 # 1755 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 1756 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 1757 # bar@gmail.com from DATA_WRITE logging. 1758 "auditLogConfigs": [ # The configuration for logging of each type of permission. 1759 { # Provides the configuration for logging a type of permissions. 1760 # Example: 1761 # 1762 # { 1763 # "audit_log_configs": [ 1764 # { 1765 # "log_type": "DATA_READ", 1766 # "exempted_members": [ 1767 # "user:foo@gmail.com" 1768 # ] 1769 # }, 1770 # { 1771 # "log_type": "DATA_WRITE", 1772 # } 1773 # ] 1774 # } 1775 # 1776 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 1777 # foo@gmail.com from DATA_READ logging. 1778 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 1779 # permission. 1780 # Follows the same format of Binding.members. 1781 "A String", 1782 ], 1783 "logType": "A String", # The log type that this config enables. 1784 }, 1785 ], 1786 "service": "A String", # Specifies a service that will be enabled for audit logging. 1787 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 1788 # `allServices` is a special value that covers all services. 1789 }, 1790 ], 1791 }</pre> 1792</div> 1793 1794<div class="method"> 1795 <code class="details" id="setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</code> 1796 <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for 1797that `Constraint` on the resource if one does not exist. 1798 1799Not supplying an `etag` on the request `Policy` results in an unconditional 1800write of the `Policy`. 1801 1802Args: 1803 resource: string, Resource name of the resource to attach the `Policy`. (required) 1804 body: object, The request body. (required) 1805 The object takes the form of: 1806 1807{ # The request sent to the SetOrgPolicyRequest method. 1808 "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource. 1809 # for configurations of Cloud Platform resources. 1810 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 1811 # server, not specified by the caller, and represents the last time a call to 1812 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 1813 # be ignored. 1814 "version": 42, # Version of the `Policy`. Default version is 0; 1815 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 1816 # `constraints/serviceuser.services`. 1817 # 1818 # Immutable after creation. 1819 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 1820 # `Constraint` type. 1821 # `constraint_default` enforcement behavior of the specific `Constraint` at 1822 # this resource. 1823 # 1824 # Suppose that `constraint_default` is set to `ALLOW` for the 1825 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 1826 # foo.com sets a `Policy` at their Organization resource node that restricts 1827 # the allowed service activations to deny all service activations. They 1828 # could then set a `Policy` with the `policy_type` `restore_default` on 1829 # several experimental projects, restoring the `constraint_default` 1830 # enforcement of the `Constraint` for only those projects, allowing those 1831 # projects to have all services activated. 1832 }, 1833 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 1834 # resource. 1835 # 1836 # `ListPolicy` can define specific values and subtrees of Cloud Resource 1837 # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that 1838 # are allowed or denied by setting the `allowed_values` and `denied_values` 1839 # fields. This is achieved by using the `under:` and optional `is:` prefixes. 1840 # The `under:` prefix is used to denote resource subtree values. 1841 # The `is:` prefix is used to denote specific values, and is required only 1842 # if the value contains a ":". Values prefixed with "is:" are treated the 1843 # same as values with no prefix. 1844 # Ancestry subtrees must be in one of the following formats: 1845 # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” 1846 # - “folders/<folder-id>”, e.g. “folders/1234” 1847 # - “organizations/<organization-id>”, e.g. “organizations/1234” 1848 # The `supports_under` field of the associated `Constraint` defines whether 1849 # ancestry prefixes can be used. You can set `allowed_values` and 1850 # `denied_values` in the same `Policy` if `all_values` is 1851 # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all 1852 # values. If `all_values` is set to either `ALLOW` or `DENY`, 1853 # `allowed_values` and `denied_values` must be unset. 1854 "allValues": "A String", # The policy all_values state. 1855 "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` 1856 # is set to `ALL_VALUES_UNSPECIFIED`. 1857 "A String", 1858 ], 1859 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 1860 # 1861 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 1862 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 1863 # set to `true`, then the values from the effective `Policy` of the parent 1864 # resource are inherited, meaning the values set in this `Policy` are 1865 # added to the values inherited up the hierarchy. 1866 # 1867 # Setting `Policy` hierarchies that inherit both allowed values and denied 1868 # values isn't recommended in most circumstances to keep the configuration 1869 # simple and understandable. However, it is possible to set a `Policy` with 1870 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 1871 # In this case, the values that are allowed must be in `allowed_values` and 1872 # not present in `denied_values`. 1873 # 1874 # For example, suppose you have a `Constraint` 1875 # `constraints/serviceuser.services`, which has a `constraint_type` of 1876 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 1877 # Suppose that at the Organization level, a `Policy` is applied that 1878 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 1879 # `Policy` is applied to a project below the Organization that has 1880 # `inherit_from_parent` set to `false` and field all_values set to DENY, 1881 # then an attempt to activate any API will be denied. 1882 # 1883 # The following examples demonstrate different possible layerings for 1884 # `projects/bar` parented by `organizations/foo`: 1885 # 1886 # Example 1 (no inherited values): 1887 # `organizations/foo` has a `Policy` with values: 1888 # {allowed_values: “E1” allowed_values:”E2”} 1889 # `projects/bar` has `inherit_from_parent` `false` and values: 1890 # {allowed_values: "E3" allowed_values: "E4"} 1891 # The accepted values at `organizations/foo` are `E1`, `E2`. 1892 # The accepted values at `projects/bar` are `E3`, and `E4`. 1893 # 1894 # Example 2 (inherited values): 1895 # `organizations/foo` has a `Policy` with values: 1896 # {allowed_values: “E1” allowed_values:”E2”} 1897 # `projects/bar` has a `Policy` with values: 1898 # {value: “E3” value: ”E4” inherit_from_parent: true} 1899 # The accepted values at `organizations/foo` are `E1`, `E2`. 1900 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 1901 # 1902 # Example 3 (inheriting both allowed and denied values): 1903 # `organizations/foo` has a `Policy` with values: 1904 # {allowed_values: "E1" allowed_values: "E2"} 1905 # `projects/bar` has a `Policy` with: 1906 # {denied_values: "E1"} 1907 # The accepted values at `organizations/foo` are `E1`, `E2`. 1908 # The value accepted at `projects/bar` is `E2`. 1909 # 1910 # Example 4 (RestoreDefault): 1911 # `organizations/foo` has a `Policy` with values: 1912 # {allowed_values: “E1” allowed_values:”E2”} 1913 # `projects/bar` has a `Policy` with values: 1914 # {RestoreDefault: {}} 1915 # The accepted values at `organizations/foo` are `E1`, `E2`. 1916 # The accepted values at `projects/bar` are either all or none depending on 1917 # the value of `constraint_default` (if `ALLOW`, all; if 1918 # `DENY`, none). 1919 # 1920 # Example 5 (no policy inherits parent policy): 1921 # `organizations/foo` has no `Policy` set. 1922 # `projects/bar` has no `Policy` set. 1923 # The accepted values at both levels are either all or none depending on 1924 # the value of `constraint_default` (if `ALLOW`, all; if 1925 # `DENY`, none). 1926 # 1927 # Example 6 (ListConstraint allowing all): 1928 # `organizations/foo` has a `Policy` with values: 1929 # {allowed_values: “E1” allowed_values: ”E2”} 1930 # `projects/bar` has a `Policy` with: 1931 # {all: ALLOW} 1932 # The accepted values at `organizations/foo` are `E1`, E2`. 1933 # Any value is accepted at `projects/bar`. 1934 # 1935 # Example 7 (ListConstraint allowing none): 1936 # `organizations/foo` has a `Policy` with values: 1937 # {allowed_values: “E1” allowed_values: ”E2”} 1938 # `projects/bar` has a `Policy` with: 1939 # {all: DENY} 1940 # The accepted values at `organizations/foo` are `E1`, E2`. 1941 # No value is accepted at `projects/bar`. 1942 # 1943 # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): 1944 # Given the following resource hierarchy 1945 # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, 1946 # `organizations/foo` has a `Policy` with values: 1947 # {allowed_values: "under:organizations/O1"} 1948 # `projects/bar` has a `Policy` with: 1949 # {allowed_values: "under:projects/P3"} 1950 # {denied_values: "under:folders/F2"} 1951 # The accepted values at `organizations/foo` are `organizations/O1`, 1952 # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, 1953 # `projects/P3`. 1954 # The accepted values at `projects/bar` are `organizations/O1`, 1955 # `folders/F1`, `projects/P1`. 1956 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 1957 # that matches the value specified in this `Policy`. If `suggested_value` 1958 # is not set, it will inherit the value specified higher in the hierarchy, 1959 # unless `inherit_from_parent` is `false`. 1960 "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` 1961 # is set to `ALL_VALUES_UNSPECIFIED`. 1962 "A String", 1963 ], 1964 }, 1965 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 1966 # resource. 1967 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 1968 # configuration is acceptable. 1969 # 1970 # Suppose you have a `Constraint` 1971 # `constraints/compute.disableSerialPortAccess` with `constraint_default` 1972 # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following 1973 # behavior: 1974 # - If the `Policy` at this resource has enforced set to `false`, serial 1975 # port connection attempts will be allowed. 1976 # - If the `Policy` at this resource has enforced set to `true`, serial 1977 # port connection attempts will be refused. 1978 # - If the `Policy` at this resource is `RestoreDefault`, serial port 1979 # connection attempts will be allowed. 1980 # - If no `Policy` is set at this resource or anywhere higher in the 1981 # resource hierarchy, serial port connection attempts will be allowed. 1982 # - If no `Policy` is set at this resource, but one exists higher in the 1983 # resource hierarchy, the behavior is as if the`Policy` were set at 1984 # this resource. 1985 # 1986 # The following examples demonstrate the different possible layerings: 1987 # 1988 # Example 1 (nearest `Constraint` wins): 1989 # `organizations/foo` has a `Policy` with: 1990 # {enforced: false} 1991 # `projects/bar` has no `Policy` set. 1992 # The constraint at `projects/bar` and `organizations/foo` will not be 1993 # enforced. 1994 # 1995 # Example 2 (enforcement gets replaced): 1996 # `organizations/foo` has a `Policy` with: 1997 # {enforced: false} 1998 # `projects/bar` has a `Policy` with: 1999 # {enforced: true} 2000 # The constraint at `organizations/foo` is not enforced. 2001 # The constraint at `projects/bar` is enforced. 2002 # 2003 # Example 3 (RestoreDefault): 2004 # `organizations/foo` has a `Policy` with: 2005 # {enforced: true} 2006 # `projects/bar` has a `Policy` with: 2007 # {RestoreDefault: {}} 2008 # The constraint at `organizations/foo` is enforced. 2009 # The constraint at `projects/bar` is not enforced, because 2010 # `constraint_default` for the `Constraint` is `ALLOW`. 2011 }, 2012 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 2013 # concurrency control. 2014 # 2015 # When the `Policy` is returned from either a `GetPolicy` or a 2016 # `ListOrgPolicy` request, this `etag` indicates the version of the current 2017 # `Policy` to use when executing a read-modify-write loop. 2018 # 2019 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 2020 # `etag` will be unset. 2021 # 2022 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 2023 # that was returned from a `GetOrgPolicy` request as part of a 2024 # read-modify-write loop for concurrency control. Not setting the `etag`in a 2025 # `SetOrgPolicy` request will result in an unconditional write of the 2026 # `Policy`. 2027 }, 2028 } 2029 2030 x__xgafv: string, V1 error format. 2031 Allowed values 2032 1 - v1 error format 2033 2 - v2 error format 2034 2035Returns: 2036 An object of the form: 2037 2038 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 2039 # for configurations of Cloud Platform resources. 2040 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 2041 # server, not specified by the caller, and represents the last time a call to 2042 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 2043 # be ignored. 2044 "version": 42, # Version of the `Policy`. Default version is 0; 2045 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 2046 # `constraints/serviceuser.services`. 2047 # 2048 # Immutable after creation. 2049 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 2050 # `Constraint` type. 2051 # `constraint_default` enforcement behavior of the specific `Constraint` at 2052 # this resource. 2053 # 2054 # Suppose that `constraint_default` is set to `ALLOW` for the 2055 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 2056 # foo.com sets a `Policy` at their Organization resource node that restricts 2057 # the allowed service activations to deny all service activations. They 2058 # could then set a `Policy` with the `policy_type` `restore_default` on 2059 # several experimental projects, restoring the `constraint_default` 2060 # enforcement of the `Constraint` for only those projects, allowing those 2061 # projects to have all services activated. 2062 }, 2063 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 2064 # resource. 2065 # 2066 # `ListPolicy` can define specific values and subtrees of Cloud Resource 2067 # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that 2068 # are allowed or denied by setting the `allowed_values` and `denied_values` 2069 # fields. This is achieved by using the `under:` and optional `is:` prefixes. 2070 # The `under:` prefix is used to denote resource subtree values. 2071 # The `is:` prefix is used to denote specific values, and is required only 2072 # if the value contains a ":". Values prefixed with "is:" are treated the 2073 # same as values with no prefix. 2074 # Ancestry subtrees must be in one of the following formats: 2075 # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” 2076 # - “folders/<folder-id>”, e.g. “folders/1234” 2077 # - “organizations/<organization-id>”, e.g. “organizations/1234” 2078 # The `supports_under` field of the associated `Constraint` defines whether 2079 # ancestry prefixes can be used. You can set `allowed_values` and 2080 # `denied_values` in the same `Policy` if `all_values` is 2081 # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all 2082 # values. If `all_values` is set to either `ALLOW` or `DENY`, 2083 # `allowed_values` and `denied_values` must be unset. 2084 "allValues": "A String", # The policy all_values state. 2085 "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` 2086 # is set to `ALL_VALUES_UNSPECIFIED`. 2087 "A String", 2088 ], 2089 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 2090 # 2091 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 2092 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 2093 # set to `true`, then the values from the effective `Policy` of the parent 2094 # resource are inherited, meaning the values set in this `Policy` are 2095 # added to the values inherited up the hierarchy. 2096 # 2097 # Setting `Policy` hierarchies that inherit both allowed values and denied 2098 # values isn't recommended in most circumstances to keep the configuration 2099 # simple and understandable. However, it is possible to set a `Policy` with 2100 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 2101 # In this case, the values that are allowed must be in `allowed_values` and 2102 # not present in `denied_values`. 2103 # 2104 # For example, suppose you have a `Constraint` 2105 # `constraints/serviceuser.services`, which has a `constraint_type` of 2106 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 2107 # Suppose that at the Organization level, a `Policy` is applied that 2108 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 2109 # `Policy` is applied to a project below the Organization that has 2110 # `inherit_from_parent` set to `false` and field all_values set to DENY, 2111 # then an attempt to activate any API will be denied. 2112 # 2113 # The following examples demonstrate different possible layerings for 2114 # `projects/bar` parented by `organizations/foo`: 2115 # 2116 # Example 1 (no inherited values): 2117 # `organizations/foo` has a `Policy` with values: 2118 # {allowed_values: “E1” allowed_values:”E2”} 2119 # `projects/bar` has `inherit_from_parent` `false` and values: 2120 # {allowed_values: "E3" allowed_values: "E4"} 2121 # The accepted values at `organizations/foo` are `E1`, `E2`. 2122 # The accepted values at `projects/bar` are `E3`, and `E4`. 2123 # 2124 # Example 2 (inherited values): 2125 # `organizations/foo` has a `Policy` with values: 2126 # {allowed_values: “E1” allowed_values:”E2”} 2127 # `projects/bar` has a `Policy` with values: 2128 # {value: “E3” value: ”E4” inherit_from_parent: true} 2129 # The accepted values at `organizations/foo` are `E1`, `E2`. 2130 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 2131 # 2132 # Example 3 (inheriting both allowed and denied values): 2133 # `organizations/foo` has a `Policy` with values: 2134 # {allowed_values: "E1" allowed_values: "E2"} 2135 # `projects/bar` has a `Policy` with: 2136 # {denied_values: "E1"} 2137 # The accepted values at `organizations/foo` are `E1`, `E2`. 2138 # The value accepted at `projects/bar` is `E2`. 2139 # 2140 # Example 4 (RestoreDefault): 2141 # `organizations/foo` has a `Policy` with values: 2142 # {allowed_values: “E1” allowed_values:”E2”} 2143 # `projects/bar` has a `Policy` with values: 2144 # {RestoreDefault: {}} 2145 # The accepted values at `organizations/foo` are `E1`, `E2`. 2146 # The accepted values at `projects/bar` are either all or none depending on 2147 # the value of `constraint_default` (if `ALLOW`, all; if 2148 # `DENY`, none). 2149 # 2150 # Example 5 (no policy inherits parent policy): 2151 # `organizations/foo` has no `Policy` set. 2152 # `projects/bar` has no `Policy` set. 2153 # The accepted values at both levels are either all or none depending on 2154 # the value of `constraint_default` (if `ALLOW`, all; if 2155 # `DENY`, none). 2156 # 2157 # Example 6 (ListConstraint allowing all): 2158 # `organizations/foo` has a `Policy` with values: 2159 # {allowed_values: “E1” allowed_values: ”E2”} 2160 # `projects/bar` has a `Policy` with: 2161 # {all: ALLOW} 2162 # The accepted values at `organizations/foo` are `E1`, E2`. 2163 # Any value is accepted at `projects/bar`. 2164 # 2165 # Example 7 (ListConstraint allowing none): 2166 # `organizations/foo` has a `Policy` with values: 2167 # {allowed_values: “E1” allowed_values: ”E2”} 2168 # `projects/bar` has a `Policy` with: 2169 # {all: DENY} 2170 # The accepted values at `organizations/foo` are `E1`, E2`. 2171 # No value is accepted at `projects/bar`. 2172 # 2173 # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): 2174 # Given the following resource hierarchy 2175 # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, 2176 # `organizations/foo` has a `Policy` with values: 2177 # {allowed_values: "under:organizations/O1"} 2178 # `projects/bar` has a `Policy` with: 2179 # {allowed_values: "under:projects/P3"} 2180 # {denied_values: "under:folders/F2"} 2181 # The accepted values at `organizations/foo` are `organizations/O1`, 2182 # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, 2183 # `projects/P3`. 2184 # The accepted values at `projects/bar` are `organizations/O1`, 2185 # `folders/F1`, `projects/P1`. 2186 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 2187 # that matches the value specified in this `Policy`. If `suggested_value` 2188 # is not set, it will inherit the value specified higher in the hierarchy, 2189 # unless `inherit_from_parent` is `false`. 2190 "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` 2191 # is set to `ALL_VALUES_UNSPECIFIED`. 2192 "A String", 2193 ], 2194 }, 2195 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 2196 # resource. 2197 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 2198 # configuration is acceptable. 2199 # 2200 # Suppose you have a `Constraint` 2201 # `constraints/compute.disableSerialPortAccess` with `constraint_default` 2202 # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following 2203 # behavior: 2204 # - If the `Policy` at this resource has enforced set to `false`, serial 2205 # port connection attempts will be allowed. 2206 # - If the `Policy` at this resource has enforced set to `true`, serial 2207 # port connection attempts will be refused. 2208 # - If the `Policy` at this resource is `RestoreDefault`, serial port 2209 # connection attempts will be allowed. 2210 # - If no `Policy` is set at this resource or anywhere higher in the 2211 # resource hierarchy, serial port connection attempts will be allowed. 2212 # - If no `Policy` is set at this resource, but one exists higher in the 2213 # resource hierarchy, the behavior is as if the`Policy` were set at 2214 # this resource. 2215 # 2216 # The following examples demonstrate the different possible layerings: 2217 # 2218 # Example 1 (nearest `Constraint` wins): 2219 # `organizations/foo` has a `Policy` with: 2220 # {enforced: false} 2221 # `projects/bar` has no `Policy` set. 2222 # The constraint at `projects/bar` and `organizations/foo` will not be 2223 # enforced. 2224 # 2225 # Example 2 (enforcement gets replaced): 2226 # `organizations/foo` has a `Policy` with: 2227 # {enforced: false} 2228 # `projects/bar` has a `Policy` with: 2229 # {enforced: true} 2230 # The constraint at `organizations/foo` is not enforced. 2231 # The constraint at `projects/bar` is enforced. 2232 # 2233 # Example 3 (RestoreDefault): 2234 # `organizations/foo` has a `Policy` with: 2235 # {enforced: true} 2236 # `projects/bar` has a `Policy` with: 2237 # {RestoreDefault: {}} 2238 # The constraint at `organizations/foo` is enforced. 2239 # The constraint at `projects/bar` is not enforced, because 2240 # `constraint_default` for the `Constraint` is `ALLOW`. 2241 }, 2242 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 2243 # concurrency control. 2244 # 2245 # When the `Policy` is returned from either a `GetPolicy` or a 2246 # `ListOrgPolicy` request, this `etag` indicates the version of the current 2247 # `Policy` to use when executing a read-modify-write loop. 2248 # 2249 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 2250 # `etag` will be unset. 2251 # 2252 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 2253 # that was returned from a `GetOrgPolicy` request as part of a 2254 # read-modify-write loop for concurrency control. Not setting the `etag`in a 2255 # `SetOrgPolicy` request will result in an unconditional write of the 2256 # `Policy`. 2257 }</pre> 2258</div> 2259 2260<div class="method"> 2261 <code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code> 2262 <pre>Returns permissions that a caller has on the specified Organization. 2263The `resource` field should be the organization's resource name, 2264e.g. "organizations/123". 2265 2266There are no permissions required for making this API call. 2267 2268Args: 2269 resource: string, REQUIRED: The resource for which the policy detail is being requested. 2270See the operation documentation for the appropriate value for this field. (required) 2271 body: object, The request body. (required) 2272 The object takes the form of: 2273 2274{ # Request message for `TestIamPermissions` method. 2275 "permissions": [ # The set of permissions to check for the `resource`. Permissions with 2276 # wildcards (such as '*' or 'storage.*') are not allowed. For more 2277 # information see 2278 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). 2279 "A String", 2280 ], 2281 } 2282 2283 x__xgafv: string, V1 error format. 2284 Allowed values 2285 1 - v1 error format 2286 2 - v2 error format 2287 2288Returns: 2289 An object of the form: 2290 2291 { # Response message for `TestIamPermissions` method. 2292 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is 2293 # allowed. 2294 "A String", 2295 ], 2296 }</pre> 2297</div> 2298 2299</body></html>