1<html><body> 2<style> 3 4body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13} 14 15body { 16 font-size: 13px; 17 padding: 1em; 18} 19 20h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23} 24 25h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28} 29 30h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34} 35 36pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39} 40 41pre { 42 margin-top: 0.5em; 43} 44 45h1, h2, h3, p { 46 font-family: Arial, sans serif; 47} 48 49h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51} 52 53.toc_element { 54 margin-top: 0.5em; 55} 56 57.firstline { 58 margin-left: 2 em; 59} 60 61.method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66} 67 68.details { 69 font-weight: bold; 70 font-size: 14px; 71} 72 73</style> 74 75<h1><a href="cloudresourcemanager_v1.html">Cloud Resource Manager API</a> . <a href="cloudresourcemanager_v1.folders.html">folders</a></h1> 76<h2>Instance Methods</h2> 77<p class="toc_element"> 78 <code><a href="#clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 79<p class="firstline">Clears a `Policy` from a resource.</p> 80<p class="toc_element"> 81 <code><a href="#getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 82<p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging</p> 83<p class="toc_element"> 84 <code><a href="#getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 85<p class="firstline">Gets a `Policy` on a resource.</p> 86<p class="toc_element"> 87 <code><a href="#listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</a></code></p> 88<p class="firstline">Lists `Constraints` that could be applied on the specified resource.</p> 89<p class="toc_element"> 90 <code><a href="#listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</a></code></p> 91<p class="firstline">Retrieves the next page of results.</p> 92<p class="toc_element"> 93 <code><a href="#listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</a></code></p> 94<p class="firstline">Lists all the `Policies` set for a particular resource.</p> 95<p class="toc_element"> 96 <code><a href="#listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</a></code></p> 97<p class="firstline">Retrieves the next page of results.</p> 98<p class="toc_element"> 99 <code><a href="#setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</a></code></p> 100<p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for</p> 101<h3>Method Details</h3> 102<div class="method"> 103 <code class="details" id="clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</code> 104 <pre>Clears a `Policy` from a resource. 105 106Args: 107 resource: string, Name of the resource for the `Policy` to clear. (required) 108 body: object, The request body. (required) 109 The object takes the form of: 110 111{ # The request sent to the ClearOrgPolicy method. 112 "etag": "A String", # The current version, for concurrency control. Not sending an `etag` 113 # will cause the `Policy` to be cleared blindly. 114 "constraint": "A String", # Name of the `Constraint` of the `Policy` to clear. 115 } 116 117 x__xgafv: string, V1 error format. 118 Allowed values 119 1 - v1 error format 120 2 - v2 error format 121 122Returns: 123 An object of the form: 124 125 { # A generic empty message that you can re-use to avoid defining duplicated 126 # empty messages in your APIs. A typical example is to use it as the request 127 # or the response type of an API method. For instance: 128 # 129 # service Foo { 130 # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); 131 # } 132 # 133 # The JSON representation for `Empty` is empty JSON object `{}`. 134 }</pre> 135</div> 136 137<div class="method"> 138 <code class="details" id="getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</code> 139 <pre>Gets the effective `Policy` on a resource. This is the result of merging 140`Policies` in the resource hierarchy. The returned `Policy` will not have 141an `etag`set because it is a computed `Policy` across multiple resources. 142Subtrees of Resource Manager resource hierarchy with 'under:' prefix will 143not be expanded. 144 145Args: 146 resource: string, The name of the resource to start computing the effective `Policy`. (required) 147 body: object, The request body. (required) 148 The object takes the form of: 149 150{ # The request sent to the GetEffectiveOrgPolicy method. 151 "constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`. 152 } 153 154 x__xgafv: string, V1 error format. 155 Allowed values 156 1 - v1 error format 157 2 - v2 error format 158 159Returns: 160 An object of the form: 161 162 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 163 # for configurations of Cloud Platform resources. 164 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 165 # server, not specified by the caller, and represents the last time a call to 166 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 167 # be ignored. 168 "version": 42, # Version of the `Policy`. Default version is 0; 169 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 170 # `constraints/serviceuser.services`. 171 # 172 # Immutable after creation. 173 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 174 # `Constraint` type. 175 # `constraint_default` enforcement behavior of the specific `Constraint` at 176 # this resource. 177 # 178 # Suppose that `constraint_default` is set to `ALLOW` for the 179 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 180 # foo.com sets a `Policy` at their Organization resource node that restricts 181 # the allowed service activations to deny all service activations. They 182 # could then set a `Policy` with the `policy_type` `restore_default` on 183 # several experimental projects, restoring the `constraint_default` 184 # enforcement of the `Constraint` for only those projects, allowing those 185 # projects to have all services activated. 186 }, 187 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 188 # resource. 189 # 190 # `ListPolicy` can define specific values and subtrees of Cloud Resource 191 # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that 192 # are allowed or denied by setting the `allowed_values` and `denied_values` 193 # fields. This is achieved by using the `under:` and optional `is:` prefixes. 194 # The `under:` prefix is used to denote resource subtree values. 195 # The `is:` prefix is used to denote specific values, and is required only 196 # if the value contains a ":". Values prefixed with "is:" are treated the 197 # same as values with no prefix. 198 # Ancestry subtrees must be in one of the following formats: 199 # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” 200 # - “folders/<folder-id>”, e.g. “folders/1234” 201 # - “organizations/<organization-id>”, e.g. “organizations/1234” 202 # The `supports_under` field of the associated `Constraint` defines whether 203 # ancestry prefixes can be used. You can set `allowed_values` and 204 # `denied_values` in the same `Policy` if `all_values` is 205 # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all 206 # values. If `all_values` is set to either `ALLOW` or `DENY`, 207 # `allowed_values` and `denied_values` must be unset. 208 "allValues": "A String", # The policy all_values state. 209 "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` 210 # is set to `ALL_VALUES_UNSPECIFIED`. 211 "A String", 212 ], 213 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 214 # 215 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 216 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 217 # set to `true`, then the values from the effective `Policy` of the parent 218 # resource are inherited, meaning the values set in this `Policy` are 219 # added to the values inherited up the hierarchy. 220 # 221 # Setting `Policy` hierarchies that inherit both allowed values and denied 222 # values isn't recommended in most circumstances to keep the configuration 223 # simple and understandable. However, it is possible to set a `Policy` with 224 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 225 # In this case, the values that are allowed must be in `allowed_values` and 226 # not present in `denied_values`. 227 # 228 # For example, suppose you have a `Constraint` 229 # `constraints/serviceuser.services`, which has a `constraint_type` of 230 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 231 # Suppose that at the Organization level, a `Policy` is applied that 232 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 233 # `Policy` is applied to a project below the Organization that has 234 # `inherit_from_parent` set to `false` and field all_values set to DENY, 235 # then an attempt to activate any API will be denied. 236 # 237 # The following examples demonstrate different possible layerings for 238 # `projects/bar` parented by `organizations/foo`: 239 # 240 # Example 1 (no inherited values): 241 # `organizations/foo` has a `Policy` with values: 242 # {allowed_values: “E1” allowed_values:”E2”} 243 # `projects/bar` has `inherit_from_parent` `false` and values: 244 # {allowed_values: "E3" allowed_values: "E4"} 245 # The accepted values at `organizations/foo` are `E1`, `E2`. 246 # The accepted values at `projects/bar` are `E3`, and `E4`. 247 # 248 # Example 2 (inherited values): 249 # `organizations/foo` has a `Policy` with values: 250 # {allowed_values: “E1” allowed_values:”E2”} 251 # `projects/bar` has a `Policy` with values: 252 # {value: “E3” value: ”E4” inherit_from_parent: true} 253 # The accepted values at `organizations/foo` are `E1`, `E2`. 254 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 255 # 256 # Example 3 (inheriting both allowed and denied values): 257 # `organizations/foo` has a `Policy` with values: 258 # {allowed_values: "E1" allowed_values: "E2"} 259 # `projects/bar` has a `Policy` with: 260 # {denied_values: "E1"} 261 # The accepted values at `organizations/foo` are `E1`, `E2`. 262 # The value accepted at `projects/bar` is `E2`. 263 # 264 # Example 4 (RestoreDefault): 265 # `organizations/foo` has a `Policy` with values: 266 # {allowed_values: “E1” allowed_values:”E2”} 267 # `projects/bar` has a `Policy` with values: 268 # {RestoreDefault: {}} 269 # The accepted values at `organizations/foo` are `E1`, `E2`. 270 # The accepted values at `projects/bar` are either all or none depending on 271 # the value of `constraint_default` (if `ALLOW`, all; if 272 # `DENY`, none). 273 # 274 # Example 5 (no policy inherits parent policy): 275 # `organizations/foo` has no `Policy` set. 276 # `projects/bar` has no `Policy` set. 277 # The accepted values at both levels are either all or none depending on 278 # the value of `constraint_default` (if `ALLOW`, all; if 279 # `DENY`, none). 280 # 281 # Example 6 (ListConstraint allowing all): 282 # `organizations/foo` has a `Policy` with values: 283 # {allowed_values: “E1” allowed_values: ”E2”} 284 # `projects/bar` has a `Policy` with: 285 # {all: ALLOW} 286 # The accepted values at `organizations/foo` are `E1`, E2`. 287 # Any value is accepted at `projects/bar`. 288 # 289 # Example 7 (ListConstraint allowing none): 290 # `organizations/foo` has a `Policy` with values: 291 # {allowed_values: “E1” allowed_values: ”E2”} 292 # `projects/bar` has a `Policy` with: 293 # {all: DENY} 294 # The accepted values at `organizations/foo` are `E1`, E2`. 295 # No value is accepted at `projects/bar`. 296 # 297 # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): 298 # Given the following resource hierarchy 299 # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, 300 # `organizations/foo` has a `Policy` with values: 301 # {allowed_values: "under:organizations/O1"} 302 # `projects/bar` has a `Policy` with: 303 # {allowed_values: "under:projects/P3"} 304 # {denied_values: "under:folders/F2"} 305 # The accepted values at `organizations/foo` are `organizations/O1`, 306 # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, 307 # `projects/P3`. 308 # The accepted values at `projects/bar` are `organizations/O1`, 309 # `folders/F1`, `projects/P1`. 310 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 311 # that matches the value specified in this `Policy`. If `suggested_value` 312 # is not set, it will inherit the value specified higher in the hierarchy, 313 # unless `inherit_from_parent` is `false`. 314 "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` 315 # is set to `ALL_VALUES_UNSPECIFIED`. 316 "A String", 317 ], 318 }, 319 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 320 # resource. 321 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 322 # configuration is acceptable. 323 # 324 # Suppose you have a `Constraint` 325 # `constraints/compute.disableSerialPortAccess` with `constraint_default` 326 # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following 327 # behavior: 328 # - If the `Policy` at this resource has enforced set to `false`, serial 329 # port connection attempts will be allowed. 330 # - If the `Policy` at this resource has enforced set to `true`, serial 331 # port connection attempts will be refused. 332 # - If the `Policy` at this resource is `RestoreDefault`, serial port 333 # connection attempts will be allowed. 334 # - If no `Policy` is set at this resource or anywhere higher in the 335 # resource hierarchy, serial port connection attempts will be allowed. 336 # - If no `Policy` is set at this resource, but one exists higher in the 337 # resource hierarchy, the behavior is as if the`Policy` were set at 338 # this resource. 339 # 340 # The following examples demonstrate the different possible layerings: 341 # 342 # Example 1 (nearest `Constraint` wins): 343 # `organizations/foo` has a `Policy` with: 344 # {enforced: false} 345 # `projects/bar` has no `Policy` set. 346 # The constraint at `projects/bar` and `organizations/foo` will not be 347 # enforced. 348 # 349 # Example 2 (enforcement gets replaced): 350 # `organizations/foo` has a `Policy` with: 351 # {enforced: false} 352 # `projects/bar` has a `Policy` with: 353 # {enforced: true} 354 # The constraint at `organizations/foo` is not enforced. 355 # The constraint at `projects/bar` is enforced. 356 # 357 # Example 3 (RestoreDefault): 358 # `organizations/foo` has a `Policy` with: 359 # {enforced: true} 360 # `projects/bar` has a `Policy` with: 361 # {RestoreDefault: {}} 362 # The constraint at `organizations/foo` is enforced. 363 # The constraint at `projects/bar` is not enforced, because 364 # `constraint_default` for the `Constraint` is `ALLOW`. 365 }, 366 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 367 # concurrency control. 368 # 369 # When the `Policy` is returned from either a `GetPolicy` or a 370 # `ListOrgPolicy` request, this `etag` indicates the version of the current 371 # `Policy` to use when executing a read-modify-write loop. 372 # 373 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 374 # `etag` will be unset. 375 # 376 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 377 # that was returned from a `GetOrgPolicy` request as part of a 378 # read-modify-write loop for concurrency control. Not setting the `etag`in a 379 # `SetOrgPolicy` request will result in an unconditional write of the 380 # `Policy`. 381 }</pre> 382</div> 383 384<div class="method"> 385 <code class="details" id="getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</code> 386 <pre>Gets a `Policy` on a resource. 387 388If no `Policy` is set on the resource, a `Policy` is returned with default 389values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The 390`etag` value can be used with `SetOrgPolicy()` to create or update a 391`Policy` during read-modify-write. 392 393Args: 394 resource: string, Name of the resource the `Policy` is set on. (required) 395 body: object, The request body. (required) 396 The object takes the form of: 397 398{ # The request sent to the GetOrgPolicy method. 399 "constraint": "A String", # Name of the `Constraint` to get the `Policy`. 400 } 401 402 x__xgafv: string, V1 error format. 403 Allowed values 404 1 - v1 error format 405 2 - v2 error format 406 407Returns: 408 An object of the form: 409 410 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 411 # for configurations of Cloud Platform resources. 412 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 413 # server, not specified by the caller, and represents the last time a call to 414 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 415 # be ignored. 416 "version": 42, # Version of the `Policy`. Default version is 0; 417 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 418 # `constraints/serviceuser.services`. 419 # 420 # Immutable after creation. 421 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 422 # `Constraint` type. 423 # `constraint_default` enforcement behavior of the specific `Constraint` at 424 # this resource. 425 # 426 # Suppose that `constraint_default` is set to `ALLOW` for the 427 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 428 # foo.com sets a `Policy` at their Organization resource node that restricts 429 # the allowed service activations to deny all service activations. They 430 # could then set a `Policy` with the `policy_type` `restore_default` on 431 # several experimental projects, restoring the `constraint_default` 432 # enforcement of the `Constraint` for only those projects, allowing those 433 # projects to have all services activated. 434 }, 435 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 436 # resource. 437 # 438 # `ListPolicy` can define specific values and subtrees of Cloud Resource 439 # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that 440 # are allowed or denied by setting the `allowed_values` and `denied_values` 441 # fields. This is achieved by using the `under:` and optional `is:` prefixes. 442 # The `under:` prefix is used to denote resource subtree values. 443 # The `is:` prefix is used to denote specific values, and is required only 444 # if the value contains a ":". Values prefixed with "is:" are treated the 445 # same as values with no prefix. 446 # Ancestry subtrees must be in one of the following formats: 447 # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” 448 # - “folders/<folder-id>”, e.g. “folders/1234” 449 # - “organizations/<organization-id>”, e.g. “organizations/1234” 450 # The `supports_under` field of the associated `Constraint` defines whether 451 # ancestry prefixes can be used. You can set `allowed_values` and 452 # `denied_values` in the same `Policy` if `all_values` is 453 # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all 454 # values. If `all_values` is set to either `ALLOW` or `DENY`, 455 # `allowed_values` and `denied_values` must be unset. 456 "allValues": "A String", # The policy all_values state. 457 "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` 458 # is set to `ALL_VALUES_UNSPECIFIED`. 459 "A String", 460 ], 461 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 462 # 463 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 464 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 465 # set to `true`, then the values from the effective `Policy` of the parent 466 # resource are inherited, meaning the values set in this `Policy` are 467 # added to the values inherited up the hierarchy. 468 # 469 # Setting `Policy` hierarchies that inherit both allowed values and denied 470 # values isn't recommended in most circumstances to keep the configuration 471 # simple and understandable. However, it is possible to set a `Policy` with 472 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 473 # In this case, the values that are allowed must be in `allowed_values` and 474 # not present in `denied_values`. 475 # 476 # For example, suppose you have a `Constraint` 477 # `constraints/serviceuser.services`, which has a `constraint_type` of 478 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 479 # Suppose that at the Organization level, a `Policy` is applied that 480 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 481 # `Policy` is applied to a project below the Organization that has 482 # `inherit_from_parent` set to `false` and field all_values set to DENY, 483 # then an attempt to activate any API will be denied. 484 # 485 # The following examples demonstrate different possible layerings for 486 # `projects/bar` parented by `organizations/foo`: 487 # 488 # Example 1 (no inherited values): 489 # `organizations/foo` has a `Policy` with values: 490 # {allowed_values: “E1” allowed_values:”E2”} 491 # `projects/bar` has `inherit_from_parent` `false` and values: 492 # {allowed_values: "E3" allowed_values: "E4"} 493 # The accepted values at `organizations/foo` are `E1`, `E2`. 494 # The accepted values at `projects/bar` are `E3`, and `E4`. 495 # 496 # Example 2 (inherited values): 497 # `organizations/foo` has a `Policy` with values: 498 # {allowed_values: “E1” allowed_values:”E2”} 499 # `projects/bar` has a `Policy` with values: 500 # {value: “E3” value: ”E4” inherit_from_parent: true} 501 # The accepted values at `organizations/foo` are `E1`, `E2`. 502 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 503 # 504 # Example 3 (inheriting both allowed and denied values): 505 # `organizations/foo` has a `Policy` with values: 506 # {allowed_values: "E1" allowed_values: "E2"} 507 # `projects/bar` has a `Policy` with: 508 # {denied_values: "E1"} 509 # The accepted values at `organizations/foo` are `E1`, `E2`. 510 # The value accepted at `projects/bar` is `E2`. 511 # 512 # Example 4 (RestoreDefault): 513 # `organizations/foo` has a `Policy` with values: 514 # {allowed_values: “E1” allowed_values:”E2”} 515 # `projects/bar` has a `Policy` with values: 516 # {RestoreDefault: {}} 517 # The accepted values at `organizations/foo` are `E1`, `E2`. 518 # The accepted values at `projects/bar` are either all or none depending on 519 # the value of `constraint_default` (if `ALLOW`, all; if 520 # `DENY`, none). 521 # 522 # Example 5 (no policy inherits parent policy): 523 # `organizations/foo` has no `Policy` set. 524 # `projects/bar` has no `Policy` set. 525 # The accepted values at both levels are either all or none depending on 526 # the value of `constraint_default` (if `ALLOW`, all; if 527 # `DENY`, none). 528 # 529 # Example 6 (ListConstraint allowing all): 530 # `organizations/foo` has a `Policy` with values: 531 # {allowed_values: “E1” allowed_values: ”E2”} 532 # `projects/bar` has a `Policy` with: 533 # {all: ALLOW} 534 # The accepted values at `organizations/foo` are `E1`, E2`. 535 # Any value is accepted at `projects/bar`. 536 # 537 # Example 7 (ListConstraint allowing none): 538 # `organizations/foo` has a `Policy` with values: 539 # {allowed_values: “E1” allowed_values: ”E2”} 540 # `projects/bar` has a `Policy` with: 541 # {all: DENY} 542 # The accepted values at `organizations/foo` are `E1`, E2`. 543 # No value is accepted at `projects/bar`. 544 # 545 # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): 546 # Given the following resource hierarchy 547 # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, 548 # `organizations/foo` has a `Policy` with values: 549 # {allowed_values: "under:organizations/O1"} 550 # `projects/bar` has a `Policy` with: 551 # {allowed_values: "under:projects/P3"} 552 # {denied_values: "under:folders/F2"} 553 # The accepted values at `organizations/foo` are `organizations/O1`, 554 # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, 555 # `projects/P3`. 556 # The accepted values at `projects/bar` are `organizations/O1`, 557 # `folders/F1`, `projects/P1`. 558 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 559 # that matches the value specified in this `Policy`. If `suggested_value` 560 # is not set, it will inherit the value specified higher in the hierarchy, 561 # unless `inherit_from_parent` is `false`. 562 "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` 563 # is set to `ALL_VALUES_UNSPECIFIED`. 564 "A String", 565 ], 566 }, 567 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 568 # resource. 569 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 570 # configuration is acceptable. 571 # 572 # Suppose you have a `Constraint` 573 # `constraints/compute.disableSerialPortAccess` with `constraint_default` 574 # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following 575 # behavior: 576 # - If the `Policy` at this resource has enforced set to `false`, serial 577 # port connection attempts will be allowed. 578 # - If the `Policy` at this resource has enforced set to `true`, serial 579 # port connection attempts will be refused. 580 # - If the `Policy` at this resource is `RestoreDefault`, serial port 581 # connection attempts will be allowed. 582 # - If no `Policy` is set at this resource or anywhere higher in the 583 # resource hierarchy, serial port connection attempts will be allowed. 584 # - If no `Policy` is set at this resource, but one exists higher in the 585 # resource hierarchy, the behavior is as if the`Policy` were set at 586 # this resource. 587 # 588 # The following examples demonstrate the different possible layerings: 589 # 590 # Example 1 (nearest `Constraint` wins): 591 # `organizations/foo` has a `Policy` with: 592 # {enforced: false} 593 # `projects/bar` has no `Policy` set. 594 # The constraint at `projects/bar` and `organizations/foo` will not be 595 # enforced. 596 # 597 # Example 2 (enforcement gets replaced): 598 # `organizations/foo` has a `Policy` with: 599 # {enforced: false} 600 # `projects/bar` has a `Policy` with: 601 # {enforced: true} 602 # The constraint at `organizations/foo` is not enforced. 603 # The constraint at `projects/bar` is enforced. 604 # 605 # Example 3 (RestoreDefault): 606 # `organizations/foo` has a `Policy` with: 607 # {enforced: true} 608 # `projects/bar` has a `Policy` with: 609 # {RestoreDefault: {}} 610 # The constraint at `organizations/foo` is enforced. 611 # The constraint at `projects/bar` is not enforced, because 612 # `constraint_default` for the `Constraint` is `ALLOW`. 613 }, 614 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 615 # concurrency control. 616 # 617 # When the `Policy` is returned from either a `GetPolicy` or a 618 # `ListOrgPolicy` request, this `etag` indicates the version of the current 619 # `Policy` to use when executing a read-modify-write loop. 620 # 621 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 622 # `etag` will be unset. 623 # 624 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 625 # that was returned from a `GetOrgPolicy` request as part of a 626 # read-modify-write loop for concurrency control. Not setting the `etag`in a 627 # `SetOrgPolicy` request will result in an unconditional write of the 628 # `Policy`. 629 }</pre> 630</div> 631 632<div class="method"> 633 <code class="details" id="listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</code> 634 <pre>Lists `Constraints` that could be applied on the specified resource. 635 636Args: 637 resource: string, Name of the resource to list `Constraints` for. (required) 638 body: object, The request body. (required) 639 The object takes the form of: 640 641{ # The request sent to the [ListAvailableOrgPolicyConstraints] 642 # google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method. 643 "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported 644 # and will be ignored. The server may at any point start using this field. 645 "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will 646 # be ignored. The server may at any point start using this field to limit 647 # page size. 648 } 649 650 x__xgafv: string, V1 error format. 651 Allowed values 652 1 - v1 error format 653 2 - v2 error format 654 655Returns: 656 An object of the form: 657 658 { # The response returned from the ListAvailableOrgPolicyConstraints method. 659 # Returns all `Constraints` that could be set at this level of the hierarchy 660 # (contrast with the response from `ListPolicies`, which returns all policies 661 # which are set). 662 "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used. 663 "constraints": [ # The collection of constraints that are settable on the request resource. 664 { # A `Constraint` describes a way in which a resource's configuration can be 665 # restricted. For example, it controls which cloud services can be activated 666 # across an organization, or whether a Compute Engine instance can have 667 # serial port connections established. `Constraints` can be configured by the 668 # organization's policy adminstrator to fit the needs of the organzation by 669 # setting Policies for `Constraints` at different locations in the 670 # organization's resource hierarchy. Policies are inherited down the resource 671 # hierarchy from higher levels, but can also be overridden. For details about 672 # the inheritance rules please read about 673 # Policies. 674 # 675 # `Constraints` have a default behavior determined by the `constraint_default` 676 # field, which is the enforcement behavior that is used in the absence of a 677 # `Policy` being defined or inherited for the resource in question. 678 "constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'. 679 "displayName": "A String", # The human readable name. 680 # 681 # Mutable. 682 "name": "A String", # Immutable value, required to globally be unique. For example, 683 # `constraints/serviceuser.services` 684 "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint. 685 # 686 # For example a constraint `constraints/compute.disableSerialPortAccess`. 687 # If it is enforced on a VM instance, serial port connections will not be 688 # opened to that instance. 689 }, 690 "version": 42, # Version of the `Constraint`. Default version is 0; 691 "listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint. 692 # configured by an Organization's policy administrator with a `Policy`. 693 "supportsUnder": True or False, # Indicates whether subtrees of Cloud Resource Manager resource hierarchy 694 # can be used in `Policy.allowed_values` and `Policy.denied_values`. For 695 # example, `"under:folders/123"` would match any resource under the 696 # 'folders/123' folder. 697 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 698 # that matches the value specified in this `Constraint`. 699 }, 700 "description": "A String", # Detailed description of what this `Constraint` controls as well as how and 701 # where it is enforced. 702 # 703 # Mutable. 704 }, 705 ], 706 }</pre> 707</div> 708 709<div class="method"> 710 <code class="details" id="listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</code> 711 <pre>Retrieves the next page of results. 712 713Args: 714 previous_request: The request for the previous page. (required) 715 previous_response: The response from the request for the previous page. (required) 716 717Returns: 718 A request object that you can call 'execute()' on to request the next 719 page. Returns None if there are no more items in the collection. 720 </pre> 721</div> 722 723<div class="method"> 724 <code class="details" id="listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</code> 725 <pre>Lists all the `Policies` set for a particular resource. 726 727Args: 728 resource: string, Name of the resource to list Policies for. (required) 729 body: object, The request body. (required) 730 The object takes the form of: 731 732{ # The request sent to the ListOrgPolicies method. 733 "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported 734 # and will be ignored. The server may at any point start using this field. 735 "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will 736 # be ignored. The server may at any point start using this field to limit 737 # page size. 738 } 739 740 x__xgafv: string, V1 error format. 741 Allowed values 742 1 - v1 error format 743 2 - v2 error format 744 745Returns: 746 An object of the form: 747 748 { # The response returned from the ListOrgPolicies method. It will be empty 749 # if no `Policies` are set on the resource. 750 "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but 751 # the server may at any point start supplying a valid token. 752 "policies": [ # The `Policies` that are set on the resource. It will be empty if no 753 # `Policies` are set. 754 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 755 # for configurations of Cloud Platform resources. 756 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 757 # server, not specified by the caller, and represents the last time a call to 758 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 759 # be ignored. 760 "version": 42, # Version of the `Policy`. Default version is 0; 761 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 762 # `constraints/serviceuser.services`. 763 # 764 # Immutable after creation. 765 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 766 # `Constraint` type. 767 # `constraint_default` enforcement behavior of the specific `Constraint` at 768 # this resource. 769 # 770 # Suppose that `constraint_default` is set to `ALLOW` for the 771 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 772 # foo.com sets a `Policy` at their Organization resource node that restricts 773 # the allowed service activations to deny all service activations. They 774 # could then set a `Policy` with the `policy_type` `restore_default` on 775 # several experimental projects, restoring the `constraint_default` 776 # enforcement of the `Constraint` for only those projects, allowing those 777 # projects to have all services activated. 778 }, 779 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 780 # resource. 781 # 782 # `ListPolicy` can define specific values and subtrees of Cloud Resource 783 # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that 784 # are allowed or denied by setting the `allowed_values` and `denied_values` 785 # fields. This is achieved by using the `under:` and optional `is:` prefixes. 786 # The `under:` prefix is used to denote resource subtree values. 787 # The `is:` prefix is used to denote specific values, and is required only 788 # if the value contains a ":". Values prefixed with "is:" are treated the 789 # same as values with no prefix. 790 # Ancestry subtrees must be in one of the following formats: 791 # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” 792 # - “folders/<folder-id>”, e.g. “folders/1234” 793 # - “organizations/<organization-id>”, e.g. “organizations/1234” 794 # The `supports_under` field of the associated `Constraint` defines whether 795 # ancestry prefixes can be used. You can set `allowed_values` and 796 # `denied_values` in the same `Policy` if `all_values` is 797 # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all 798 # values. If `all_values` is set to either `ALLOW` or `DENY`, 799 # `allowed_values` and `denied_values` must be unset. 800 "allValues": "A String", # The policy all_values state. 801 "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` 802 # is set to `ALL_VALUES_UNSPECIFIED`. 803 "A String", 804 ], 805 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 806 # 807 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 808 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 809 # set to `true`, then the values from the effective `Policy` of the parent 810 # resource are inherited, meaning the values set in this `Policy` are 811 # added to the values inherited up the hierarchy. 812 # 813 # Setting `Policy` hierarchies that inherit both allowed values and denied 814 # values isn't recommended in most circumstances to keep the configuration 815 # simple and understandable. However, it is possible to set a `Policy` with 816 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 817 # In this case, the values that are allowed must be in `allowed_values` and 818 # not present in `denied_values`. 819 # 820 # For example, suppose you have a `Constraint` 821 # `constraints/serviceuser.services`, which has a `constraint_type` of 822 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 823 # Suppose that at the Organization level, a `Policy` is applied that 824 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 825 # `Policy` is applied to a project below the Organization that has 826 # `inherit_from_parent` set to `false` and field all_values set to DENY, 827 # then an attempt to activate any API will be denied. 828 # 829 # The following examples demonstrate different possible layerings for 830 # `projects/bar` parented by `organizations/foo`: 831 # 832 # Example 1 (no inherited values): 833 # `organizations/foo` has a `Policy` with values: 834 # {allowed_values: “E1” allowed_values:”E2”} 835 # `projects/bar` has `inherit_from_parent` `false` and values: 836 # {allowed_values: "E3" allowed_values: "E4"} 837 # The accepted values at `organizations/foo` are `E1`, `E2`. 838 # The accepted values at `projects/bar` are `E3`, and `E4`. 839 # 840 # Example 2 (inherited values): 841 # `organizations/foo` has a `Policy` with values: 842 # {allowed_values: “E1” allowed_values:”E2”} 843 # `projects/bar` has a `Policy` with values: 844 # {value: “E3” value: ”E4” inherit_from_parent: true} 845 # The accepted values at `organizations/foo` are `E1`, `E2`. 846 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 847 # 848 # Example 3 (inheriting both allowed and denied values): 849 # `organizations/foo` has a `Policy` with values: 850 # {allowed_values: "E1" allowed_values: "E2"} 851 # `projects/bar` has a `Policy` with: 852 # {denied_values: "E1"} 853 # The accepted values at `organizations/foo` are `E1`, `E2`. 854 # The value accepted at `projects/bar` is `E2`. 855 # 856 # Example 4 (RestoreDefault): 857 # `organizations/foo` has a `Policy` with values: 858 # {allowed_values: “E1” allowed_values:”E2”} 859 # `projects/bar` has a `Policy` with values: 860 # {RestoreDefault: {}} 861 # The accepted values at `organizations/foo` are `E1`, `E2`. 862 # The accepted values at `projects/bar` are either all or none depending on 863 # the value of `constraint_default` (if `ALLOW`, all; if 864 # `DENY`, none). 865 # 866 # Example 5 (no policy inherits parent policy): 867 # `organizations/foo` has no `Policy` set. 868 # `projects/bar` has no `Policy` set. 869 # The accepted values at both levels are either all or none depending on 870 # the value of `constraint_default` (if `ALLOW`, all; if 871 # `DENY`, none). 872 # 873 # Example 6 (ListConstraint allowing all): 874 # `organizations/foo` has a `Policy` with values: 875 # {allowed_values: “E1” allowed_values: ”E2”} 876 # `projects/bar` has a `Policy` with: 877 # {all: ALLOW} 878 # The accepted values at `organizations/foo` are `E1`, E2`. 879 # Any value is accepted at `projects/bar`. 880 # 881 # Example 7 (ListConstraint allowing none): 882 # `organizations/foo` has a `Policy` with values: 883 # {allowed_values: “E1” allowed_values: ”E2”} 884 # `projects/bar` has a `Policy` with: 885 # {all: DENY} 886 # The accepted values at `organizations/foo` are `E1`, E2`. 887 # No value is accepted at `projects/bar`. 888 # 889 # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): 890 # Given the following resource hierarchy 891 # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, 892 # `organizations/foo` has a `Policy` with values: 893 # {allowed_values: "under:organizations/O1"} 894 # `projects/bar` has a `Policy` with: 895 # {allowed_values: "under:projects/P3"} 896 # {denied_values: "under:folders/F2"} 897 # The accepted values at `organizations/foo` are `organizations/O1`, 898 # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, 899 # `projects/P3`. 900 # The accepted values at `projects/bar` are `organizations/O1`, 901 # `folders/F1`, `projects/P1`. 902 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 903 # that matches the value specified in this `Policy`. If `suggested_value` 904 # is not set, it will inherit the value specified higher in the hierarchy, 905 # unless `inherit_from_parent` is `false`. 906 "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` 907 # is set to `ALL_VALUES_UNSPECIFIED`. 908 "A String", 909 ], 910 }, 911 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 912 # resource. 913 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 914 # configuration is acceptable. 915 # 916 # Suppose you have a `Constraint` 917 # `constraints/compute.disableSerialPortAccess` with `constraint_default` 918 # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following 919 # behavior: 920 # - If the `Policy` at this resource has enforced set to `false`, serial 921 # port connection attempts will be allowed. 922 # - If the `Policy` at this resource has enforced set to `true`, serial 923 # port connection attempts will be refused. 924 # - If the `Policy` at this resource is `RestoreDefault`, serial port 925 # connection attempts will be allowed. 926 # - If no `Policy` is set at this resource or anywhere higher in the 927 # resource hierarchy, serial port connection attempts will be allowed. 928 # - If no `Policy` is set at this resource, but one exists higher in the 929 # resource hierarchy, the behavior is as if the`Policy` were set at 930 # this resource. 931 # 932 # The following examples demonstrate the different possible layerings: 933 # 934 # Example 1 (nearest `Constraint` wins): 935 # `organizations/foo` has a `Policy` with: 936 # {enforced: false} 937 # `projects/bar` has no `Policy` set. 938 # The constraint at `projects/bar` and `organizations/foo` will not be 939 # enforced. 940 # 941 # Example 2 (enforcement gets replaced): 942 # `organizations/foo` has a `Policy` with: 943 # {enforced: false} 944 # `projects/bar` has a `Policy` with: 945 # {enforced: true} 946 # The constraint at `organizations/foo` is not enforced. 947 # The constraint at `projects/bar` is enforced. 948 # 949 # Example 3 (RestoreDefault): 950 # `organizations/foo` has a `Policy` with: 951 # {enforced: true} 952 # `projects/bar` has a `Policy` with: 953 # {RestoreDefault: {}} 954 # The constraint at `organizations/foo` is enforced. 955 # The constraint at `projects/bar` is not enforced, because 956 # `constraint_default` for the `Constraint` is `ALLOW`. 957 }, 958 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 959 # concurrency control. 960 # 961 # When the `Policy` is returned from either a `GetPolicy` or a 962 # `ListOrgPolicy` request, this `etag` indicates the version of the current 963 # `Policy` to use when executing a read-modify-write loop. 964 # 965 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 966 # `etag` will be unset. 967 # 968 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 969 # that was returned from a `GetOrgPolicy` request as part of a 970 # read-modify-write loop for concurrency control. Not setting the `etag`in a 971 # `SetOrgPolicy` request will result in an unconditional write of the 972 # `Policy`. 973 }, 974 ], 975 }</pre> 976</div> 977 978<div class="method"> 979 <code class="details" id="listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</code> 980 <pre>Retrieves the next page of results. 981 982Args: 983 previous_request: The request for the previous page. (required) 984 previous_response: The response from the request for the previous page. (required) 985 986Returns: 987 A request object that you can call 'execute()' on to request the next 988 page. Returns None if there are no more items in the collection. 989 </pre> 990</div> 991 992<div class="method"> 993 <code class="details" id="setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</code> 994 <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for 995that `Constraint` on the resource if one does not exist. 996 997Not supplying an `etag` on the request `Policy` results in an unconditional 998write of the `Policy`. 999 1000Args: 1001 resource: string, Resource name of the resource to attach the `Policy`. (required) 1002 body: object, The request body. (required) 1003 The object takes the form of: 1004 1005{ # The request sent to the SetOrgPolicyRequest method. 1006 "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource. 1007 # for configurations of Cloud Platform resources. 1008 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 1009 # server, not specified by the caller, and represents the last time a call to 1010 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 1011 # be ignored. 1012 "version": 42, # Version of the `Policy`. Default version is 0; 1013 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 1014 # `constraints/serviceuser.services`. 1015 # 1016 # Immutable after creation. 1017 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 1018 # `Constraint` type. 1019 # `constraint_default` enforcement behavior of the specific `Constraint` at 1020 # this resource. 1021 # 1022 # Suppose that `constraint_default` is set to `ALLOW` for the 1023 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 1024 # foo.com sets a `Policy` at their Organization resource node that restricts 1025 # the allowed service activations to deny all service activations. They 1026 # could then set a `Policy` with the `policy_type` `restore_default` on 1027 # several experimental projects, restoring the `constraint_default` 1028 # enforcement of the `Constraint` for only those projects, allowing those 1029 # projects to have all services activated. 1030 }, 1031 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 1032 # resource. 1033 # 1034 # `ListPolicy` can define specific values and subtrees of Cloud Resource 1035 # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that 1036 # are allowed or denied by setting the `allowed_values` and `denied_values` 1037 # fields. This is achieved by using the `under:` and optional `is:` prefixes. 1038 # The `under:` prefix is used to denote resource subtree values. 1039 # The `is:` prefix is used to denote specific values, and is required only 1040 # if the value contains a ":". Values prefixed with "is:" are treated the 1041 # same as values with no prefix. 1042 # Ancestry subtrees must be in one of the following formats: 1043 # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” 1044 # - “folders/<folder-id>”, e.g. “folders/1234” 1045 # - “organizations/<organization-id>”, e.g. “organizations/1234” 1046 # The `supports_under` field of the associated `Constraint` defines whether 1047 # ancestry prefixes can be used. You can set `allowed_values` and 1048 # `denied_values` in the same `Policy` if `all_values` is 1049 # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all 1050 # values. If `all_values` is set to either `ALLOW` or `DENY`, 1051 # `allowed_values` and `denied_values` must be unset. 1052 "allValues": "A String", # The policy all_values state. 1053 "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` 1054 # is set to `ALL_VALUES_UNSPECIFIED`. 1055 "A String", 1056 ], 1057 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 1058 # 1059 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 1060 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 1061 # set to `true`, then the values from the effective `Policy` of the parent 1062 # resource are inherited, meaning the values set in this `Policy` are 1063 # added to the values inherited up the hierarchy. 1064 # 1065 # Setting `Policy` hierarchies that inherit both allowed values and denied 1066 # values isn't recommended in most circumstances to keep the configuration 1067 # simple and understandable. However, it is possible to set a `Policy` with 1068 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 1069 # In this case, the values that are allowed must be in `allowed_values` and 1070 # not present in `denied_values`. 1071 # 1072 # For example, suppose you have a `Constraint` 1073 # `constraints/serviceuser.services`, which has a `constraint_type` of 1074 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 1075 # Suppose that at the Organization level, a `Policy` is applied that 1076 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 1077 # `Policy` is applied to a project below the Organization that has 1078 # `inherit_from_parent` set to `false` and field all_values set to DENY, 1079 # then an attempt to activate any API will be denied. 1080 # 1081 # The following examples demonstrate different possible layerings for 1082 # `projects/bar` parented by `organizations/foo`: 1083 # 1084 # Example 1 (no inherited values): 1085 # `organizations/foo` has a `Policy` with values: 1086 # {allowed_values: “E1” allowed_values:”E2”} 1087 # `projects/bar` has `inherit_from_parent` `false` and values: 1088 # {allowed_values: "E3" allowed_values: "E4"} 1089 # The accepted values at `organizations/foo` are `E1`, `E2`. 1090 # The accepted values at `projects/bar` are `E3`, and `E4`. 1091 # 1092 # Example 2 (inherited values): 1093 # `organizations/foo` has a `Policy` with values: 1094 # {allowed_values: “E1” allowed_values:”E2”} 1095 # `projects/bar` has a `Policy` with values: 1096 # {value: “E3” value: ”E4” inherit_from_parent: true} 1097 # The accepted values at `organizations/foo` are `E1`, `E2`. 1098 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 1099 # 1100 # Example 3 (inheriting both allowed and denied values): 1101 # `organizations/foo` has a `Policy` with values: 1102 # {allowed_values: "E1" allowed_values: "E2"} 1103 # `projects/bar` has a `Policy` with: 1104 # {denied_values: "E1"} 1105 # The accepted values at `organizations/foo` are `E1`, `E2`. 1106 # The value accepted at `projects/bar` is `E2`. 1107 # 1108 # Example 4 (RestoreDefault): 1109 # `organizations/foo` has a `Policy` with values: 1110 # {allowed_values: “E1” allowed_values:”E2”} 1111 # `projects/bar` has a `Policy` with values: 1112 # {RestoreDefault: {}} 1113 # The accepted values at `organizations/foo` are `E1`, `E2`. 1114 # The accepted values at `projects/bar` are either all or none depending on 1115 # the value of `constraint_default` (if `ALLOW`, all; if 1116 # `DENY`, none). 1117 # 1118 # Example 5 (no policy inherits parent policy): 1119 # `organizations/foo` has no `Policy` set. 1120 # `projects/bar` has no `Policy` set. 1121 # The accepted values at both levels are either all or none depending on 1122 # the value of `constraint_default` (if `ALLOW`, all; if 1123 # `DENY`, none). 1124 # 1125 # Example 6 (ListConstraint allowing all): 1126 # `organizations/foo` has a `Policy` with values: 1127 # {allowed_values: “E1” allowed_values: ”E2”} 1128 # `projects/bar` has a `Policy` with: 1129 # {all: ALLOW} 1130 # The accepted values at `organizations/foo` are `E1`, E2`. 1131 # Any value is accepted at `projects/bar`. 1132 # 1133 # Example 7 (ListConstraint allowing none): 1134 # `organizations/foo` has a `Policy` with values: 1135 # {allowed_values: “E1” allowed_values: ”E2”} 1136 # `projects/bar` has a `Policy` with: 1137 # {all: DENY} 1138 # The accepted values at `organizations/foo` are `E1`, E2`. 1139 # No value is accepted at `projects/bar`. 1140 # 1141 # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): 1142 # Given the following resource hierarchy 1143 # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, 1144 # `organizations/foo` has a `Policy` with values: 1145 # {allowed_values: "under:organizations/O1"} 1146 # `projects/bar` has a `Policy` with: 1147 # {allowed_values: "under:projects/P3"} 1148 # {denied_values: "under:folders/F2"} 1149 # The accepted values at `organizations/foo` are `organizations/O1`, 1150 # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, 1151 # `projects/P3`. 1152 # The accepted values at `projects/bar` are `organizations/O1`, 1153 # `folders/F1`, `projects/P1`. 1154 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 1155 # that matches the value specified in this `Policy`. If `suggested_value` 1156 # is not set, it will inherit the value specified higher in the hierarchy, 1157 # unless `inherit_from_parent` is `false`. 1158 "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` 1159 # is set to `ALL_VALUES_UNSPECIFIED`. 1160 "A String", 1161 ], 1162 }, 1163 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 1164 # resource. 1165 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 1166 # configuration is acceptable. 1167 # 1168 # Suppose you have a `Constraint` 1169 # `constraints/compute.disableSerialPortAccess` with `constraint_default` 1170 # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following 1171 # behavior: 1172 # - If the `Policy` at this resource has enforced set to `false`, serial 1173 # port connection attempts will be allowed. 1174 # - If the `Policy` at this resource has enforced set to `true`, serial 1175 # port connection attempts will be refused. 1176 # - If the `Policy` at this resource is `RestoreDefault`, serial port 1177 # connection attempts will be allowed. 1178 # - If no `Policy` is set at this resource or anywhere higher in the 1179 # resource hierarchy, serial port connection attempts will be allowed. 1180 # - If no `Policy` is set at this resource, but one exists higher in the 1181 # resource hierarchy, the behavior is as if the`Policy` were set at 1182 # this resource. 1183 # 1184 # The following examples demonstrate the different possible layerings: 1185 # 1186 # Example 1 (nearest `Constraint` wins): 1187 # `organizations/foo` has a `Policy` with: 1188 # {enforced: false} 1189 # `projects/bar` has no `Policy` set. 1190 # The constraint at `projects/bar` and `organizations/foo` will not be 1191 # enforced. 1192 # 1193 # Example 2 (enforcement gets replaced): 1194 # `organizations/foo` has a `Policy` with: 1195 # {enforced: false} 1196 # `projects/bar` has a `Policy` with: 1197 # {enforced: true} 1198 # The constraint at `organizations/foo` is not enforced. 1199 # The constraint at `projects/bar` is enforced. 1200 # 1201 # Example 3 (RestoreDefault): 1202 # `organizations/foo` has a `Policy` with: 1203 # {enforced: true} 1204 # `projects/bar` has a `Policy` with: 1205 # {RestoreDefault: {}} 1206 # The constraint at `organizations/foo` is enforced. 1207 # The constraint at `projects/bar` is not enforced, because 1208 # `constraint_default` for the `Constraint` is `ALLOW`. 1209 }, 1210 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 1211 # concurrency control. 1212 # 1213 # When the `Policy` is returned from either a `GetPolicy` or a 1214 # `ListOrgPolicy` request, this `etag` indicates the version of the current 1215 # `Policy` to use when executing a read-modify-write loop. 1216 # 1217 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 1218 # `etag` will be unset. 1219 # 1220 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 1221 # that was returned from a `GetOrgPolicy` request as part of a 1222 # read-modify-write loop for concurrency control. Not setting the `etag`in a 1223 # `SetOrgPolicy` request will result in an unconditional write of the 1224 # `Policy`. 1225 }, 1226 } 1227 1228 x__xgafv: string, V1 error format. 1229 Allowed values 1230 1 - v1 error format 1231 2 - v2 error format 1232 1233Returns: 1234 An object of the form: 1235 1236 { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` 1237 # for configurations of Cloud Platform resources. 1238 "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the 1239 # server, not specified by the caller, and represents the last time a call to 1240 # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 1241 # be ignored. 1242 "version": 42, # Version of the `Policy`. Default version is 0; 1243 "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, 1244 # `constraints/serviceuser.services`. 1245 # 1246 # Immutable after creation. 1247 "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of 1248 # `Constraint` type. 1249 # `constraint_default` enforcement behavior of the specific `Constraint` at 1250 # this resource. 1251 # 1252 # Suppose that `constraint_default` is set to `ALLOW` for the 1253 # `Constraint` `constraints/serviceuser.services`. Suppose that organization 1254 # foo.com sets a `Policy` at their Organization resource node that restricts 1255 # the allowed service activations to deny all service activations. They 1256 # could then set a `Policy` with the `policy_type` `restore_default` on 1257 # several experimental projects, restoring the `constraint_default` 1258 # enforcement of the `Constraint` for only those projects, allowing those 1259 # projects to have all services activated. 1260 }, 1261 "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. 1262 # resource. 1263 # 1264 # `ListPolicy` can define specific values and subtrees of Cloud Resource 1265 # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that 1266 # are allowed or denied by setting the `allowed_values` and `denied_values` 1267 # fields. This is achieved by using the `under:` and optional `is:` prefixes. 1268 # The `under:` prefix is used to denote resource subtree values. 1269 # The `is:` prefix is used to denote specific values, and is required only 1270 # if the value contains a ":". Values prefixed with "is:" are treated the 1271 # same as values with no prefix. 1272 # Ancestry subtrees must be in one of the following formats: 1273 # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” 1274 # - “folders/<folder-id>”, e.g. “folders/1234” 1275 # - “organizations/<organization-id>”, e.g. “organizations/1234” 1276 # The `supports_under` field of the associated `Constraint` defines whether 1277 # ancestry prefixes can be used. You can set `allowed_values` and 1278 # `denied_values` in the same `Policy` if `all_values` is 1279 # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all 1280 # values. If `all_values` is set to either `ALLOW` or `DENY`, 1281 # `allowed_values` and `denied_values` must be unset. 1282 "allValues": "A String", # The policy all_values state. 1283 "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` 1284 # is set to `ALL_VALUES_UNSPECIFIED`. 1285 "A String", 1286 ], 1287 "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. 1288 # 1289 # By default, a `ListPolicy` set at a resource supercedes any `Policy` set 1290 # anywhere up the resource hierarchy. However, if `inherit_from_parent` is 1291 # set to `true`, then the values from the effective `Policy` of the parent 1292 # resource are inherited, meaning the values set in this `Policy` are 1293 # added to the values inherited up the hierarchy. 1294 # 1295 # Setting `Policy` hierarchies that inherit both allowed values and denied 1296 # values isn't recommended in most circumstances to keep the configuration 1297 # simple and understandable. However, it is possible to set a `Policy` with 1298 # `allowed_values` set that inherits a `Policy` with `denied_values` set. 1299 # In this case, the values that are allowed must be in `allowed_values` and 1300 # not present in `denied_values`. 1301 # 1302 # For example, suppose you have a `Constraint` 1303 # `constraints/serviceuser.services`, which has a `constraint_type` of 1304 # `list_constraint`, and with `constraint_default` set to `ALLOW`. 1305 # Suppose that at the Organization level, a `Policy` is applied that 1306 # restricts the allowed API activations to {`E1`, `E2`}. Then, if a 1307 # `Policy` is applied to a project below the Organization that has 1308 # `inherit_from_parent` set to `false` and field all_values set to DENY, 1309 # then an attempt to activate any API will be denied. 1310 # 1311 # The following examples demonstrate different possible layerings for 1312 # `projects/bar` parented by `organizations/foo`: 1313 # 1314 # Example 1 (no inherited values): 1315 # `organizations/foo` has a `Policy` with values: 1316 # {allowed_values: “E1” allowed_values:”E2”} 1317 # `projects/bar` has `inherit_from_parent` `false` and values: 1318 # {allowed_values: "E3" allowed_values: "E4"} 1319 # The accepted values at `organizations/foo` are `E1`, `E2`. 1320 # The accepted values at `projects/bar` are `E3`, and `E4`. 1321 # 1322 # Example 2 (inherited values): 1323 # `organizations/foo` has a `Policy` with values: 1324 # {allowed_values: “E1” allowed_values:”E2”} 1325 # `projects/bar` has a `Policy` with values: 1326 # {value: “E3” value: ”E4” inherit_from_parent: true} 1327 # The accepted values at `organizations/foo` are `E1`, `E2`. 1328 # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 1329 # 1330 # Example 3 (inheriting both allowed and denied values): 1331 # `organizations/foo` has a `Policy` with values: 1332 # {allowed_values: "E1" allowed_values: "E2"} 1333 # `projects/bar` has a `Policy` with: 1334 # {denied_values: "E1"} 1335 # The accepted values at `organizations/foo` are `E1`, `E2`. 1336 # The value accepted at `projects/bar` is `E2`. 1337 # 1338 # Example 4 (RestoreDefault): 1339 # `organizations/foo` has a `Policy` with values: 1340 # {allowed_values: “E1” allowed_values:”E2”} 1341 # `projects/bar` has a `Policy` with values: 1342 # {RestoreDefault: {}} 1343 # The accepted values at `organizations/foo` are `E1`, `E2`. 1344 # The accepted values at `projects/bar` are either all or none depending on 1345 # the value of `constraint_default` (if `ALLOW`, all; if 1346 # `DENY`, none). 1347 # 1348 # Example 5 (no policy inherits parent policy): 1349 # `organizations/foo` has no `Policy` set. 1350 # `projects/bar` has no `Policy` set. 1351 # The accepted values at both levels are either all or none depending on 1352 # the value of `constraint_default` (if `ALLOW`, all; if 1353 # `DENY`, none). 1354 # 1355 # Example 6 (ListConstraint allowing all): 1356 # `organizations/foo` has a `Policy` with values: 1357 # {allowed_values: “E1” allowed_values: ”E2”} 1358 # `projects/bar` has a `Policy` with: 1359 # {all: ALLOW} 1360 # The accepted values at `organizations/foo` are `E1`, E2`. 1361 # Any value is accepted at `projects/bar`. 1362 # 1363 # Example 7 (ListConstraint allowing none): 1364 # `organizations/foo` has a `Policy` with values: 1365 # {allowed_values: “E1” allowed_values: ”E2”} 1366 # `projects/bar` has a `Policy` with: 1367 # {all: DENY} 1368 # The accepted values at `organizations/foo` are `E1`, E2`. 1369 # No value is accepted at `projects/bar`. 1370 # 1371 # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): 1372 # Given the following resource hierarchy 1373 # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, 1374 # `organizations/foo` has a `Policy` with values: 1375 # {allowed_values: "under:organizations/O1"} 1376 # `projects/bar` has a `Policy` with: 1377 # {allowed_values: "under:projects/P3"} 1378 # {denied_values: "under:folders/F2"} 1379 # The accepted values at `organizations/foo` are `organizations/O1`, 1380 # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, 1381 # `projects/P3`. 1382 # The accepted values at `projects/bar` are `organizations/O1`, 1383 # `folders/F1`, `projects/P1`. 1384 "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration 1385 # that matches the value specified in this `Policy`. If `suggested_value` 1386 # is not set, it will inherit the value specified higher in the hierarchy, 1387 # unless `inherit_from_parent` is `false`. 1388 "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` 1389 # is set to `ALL_VALUES_UNSPECIFIED`. 1390 "A String", 1391 ], 1392 }, 1393 "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. 1394 # resource. 1395 "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any 1396 # configuration is acceptable. 1397 # 1398 # Suppose you have a `Constraint` 1399 # `constraints/compute.disableSerialPortAccess` with `constraint_default` 1400 # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following 1401 # behavior: 1402 # - If the `Policy` at this resource has enforced set to `false`, serial 1403 # port connection attempts will be allowed. 1404 # - If the `Policy` at this resource has enforced set to `true`, serial 1405 # port connection attempts will be refused. 1406 # - If the `Policy` at this resource is `RestoreDefault`, serial port 1407 # connection attempts will be allowed. 1408 # - If no `Policy` is set at this resource or anywhere higher in the 1409 # resource hierarchy, serial port connection attempts will be allowed. 1410 # - If no `Policy` is set at this resource, but one exists higher in the 1411 # resource hierarchy, the behavior is as if the`Policy` were set at 1412 # this resource. 1413 # 1414 # The following examples demonstrate the different possible layerings: 1415 # 1416 # Example 1 (nearest `Constraint` wins): 1417 # `organizations/foo` has a `Policy` with: 1418 # {enforced: false} 1419 # `projects/bar` has no `Policy` set. 1420 # The constraint at `projects/bar` and `organizations/foo` will not be 1421 # enforced. 1422 # 1423 # Example 2 (enforcement gets replaced): 1424 # `organizations/foo` has a `Policy` with: 1425 # {enforced: false} 1426 # `projects/bar` has a `Policy` with: 1427 # {enforced: true} 1428 # The constraint at `organizations/foo` is not enforced. 1429 # The constraint at `projects/bar` is enforced. 1430 # 1431 # Example 3 (RestoreDefault): 1432 # `organizations/foo` has a `Policy` with: 1433 # {enforced: true} 1434 # `projects/bar` has a `Policy` with: 1435 # {RestoreDefault: {}} 1436 # The constraint at `organizations/foo` is enforced. 1437 # The constraint at `projects/bar` is not enforced, because 1438 # `constraint_default` for the `Constraint` is `ALLOW`. 1439 }, 1440 "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for 1441 # concurrency control. 1442 # 1443 # When the `Policy` is returned from either a `GetPolicy` or a 1444 # `ListOrgPolicy` request, this `etag` indicates the version of the current 1445 # `Policy` to use when executing a read-modify-write loop. 1446 # 1447 # When the `Policy` is returned from a `GetEffectivePolicy` request, the 1448 # `etag` will be unset. 1449 # 1450 # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 1451 # that was returned from a `GetOrgPolicy` request as part of a 1452 # read-modify-write loop for concurrency control. Not setting the `etag`in a 1453 # `SetOrgPolicy` request will result in an unconditional write of the 1454 # `Policy`. 1455 }</pre> 1456</div> 1457 1458</body></html>