WdZddlmZddlmZddlmZddlmZdZ GddejZ Gd d ejZ Gd d ejZ Gd dejZGddejZGddejZGddejZGddejZGddejZGddejZGddejZGddejZGdd ejZGd!d"ejZGd#d$ejZGd%d&ejZGd'd(ejZGd)d*ejZGd+d,ejZGd-d.ejZGd/d0ejZGd1d2ejZ Gd3d4ejZ!Gd5d6ejZ"Gd7d8ejZ#Gd9d:ejZ$Gd;dejZ&Gd?d@ejZ'GdAdBejZ(GdCdDejZ)GdEdFejZ*GdGdHejZ+GdIdJejZ,GdKdLejZ-GdMdNejZ.GdOdPejZ/GdQdRejZ0GdSdTejZ1GdUdVejZ2GdWdXejZ3GdYdZejZ4Gd[d\ejZ5Gd]d^ejZ6Gd_d`ejZ7GdadbejZ8GdcddejZ9GdedfejZ:GdgdhejZ;GdidjejZ<GdkdlejZ=GdmdnejZ>GdodpejZ?GdqdrejZ@GdsdtejZAGdudvejZBGdwdxejZCGdydzejZDGd{d|ejZEGd}d~ejZFGddejZGGddejZHGddejZIGddejZJGddejZKGddejZLGddejZMGddejZNGddejZOGddejZPGddejZQGddejZRGddejZSGddejZTGddejZUGddejZVGddejZWGddejZXGddejZYGddejZZGddejZ[GddejZ\GddejZ]GddejZ^GddejZ_GddejZ`GddejZaGddejZbGddejZcGddejZdGddejZeGddejZfGddejZgGddejZhGdÄdejZiGdńdejZjGdDŽdejZkGdɄdejZlGd˄dejZmGd̈́dejZnGdτdejZoGdфdejZpGdӄdejZqGdՄdejZrGdׄdejZsejenddګejenjddܫejenjddޫy)aGenerated message classes for privilegedaccessmanager version v1. Privileged Access Manager (PAM) helps you to follow least privilege best practice to mitigate risks tied to privileged access misuse and abuse. You can shift from always-on standing privileges to on-demand access using time-bound and approval-based access elevations. IAM administrators specifically can use PAM to create entitlements that can grant temporary access to a specific resource scope. Requesters can explore eligible entitlements and request the access needed for their task, and approvers are notified when approvals require their attention. Streamlined workflows facilitated using PAM support several use cases, including the following: - Emergency access for incident responders - Time-boxed access for developers for critical deployment or maintenance - Temporary access for operators for data ingestion and audits - Temporary access to service accounts for automated tasks )absolute_import)messages)encoding) extra_typesprivilegedaccessmanagerc8eZdZdZej ddZy)AccessControlEntryaB`AccessControlEntry` is used to control who can do some operation. Fields: principals: Optional. Users who are allowed for the operation. Each entry should be a valid v1 IAM principal identifier. The format for these is documented at: https://cloud.google.com/iam/docs/principal- identifiers#v1 TrepeatedN)__name__ __module__ __qualname____doc__ _messages StringField principalsklib/googlecloudsdk/generated_clients/apis/privilegedaccessmanager/v1/privilegedaccessmanager_v1_messages.pyr r s%y$$Q6*rr ceZdZdZy) Activatedz@An event representing that the grant was successfully activated.Nr rrrrrrrr)sIrrc6eZdZdZej ddZy)ActivationFailedzAn event representing that the grant activation failed. Fields: error: Output only. The error that occurred while activating the grant. Statusr N)r rrrr MessageFielderrorrrrrr-s !) 1 -%rrc`eZdZdZej ddZej ddZy)AdditionalNotificationTargetsaO`AdditionalNotificationTargets` includes email addresses to be notified. Fields: adminEmailRecipients: Optional. Additional email addresses to be notified when a principal (requester) is granted access. requesterEmailRecipients: Optional. Additional email address to be notified about an eligible entitlement. r Tr N)r rrrrradminEmailRecipientsrequesterEmailRecipientsrrrr r 7s3/..q4@2Y221tDrr c6eZdZdZej ddZy)ApprovalWorkflowzDifferent types of approval workflows that can be used to gate privileged access granting. Fields: manualApprovals: An approval workflow where users designated as approvers review and act on the grants. ManualApprovalsr N)r rrrrrmanualApprovalsrrrr%r%E+I**+B$y$$Q'*()(()=q4P-   q !$,y,,Q/   q !$+Y++,>B!7!7!78VXY!Z )  4b 9%$y$$R(*rrFceZdZdZej ddZej ddZej ddZej dd Z ej d d Z ejd Z ej d dZ ej ddZej ddZej ddZej ddZej ddZy)EventaWA single operation on the grant. Fields: activated: The grant was successfully activated to give access. activationFailed: There was a non-retriable error while trying to give access. approved: The grant was approved. denied: The grant was denied. ended: Access given by the grant ended automatically as the approved duration was over. eventTime: Output only. The time (as recorded at server) when this event occurred. expired: The approval workflow did not complete in the necessary duration, and so the grant is expired. externallyModified: The policy bindings made by grant have been modified outside of PAM. requested: The grant was requested. revoked: The grant was revoked. scheduled: The grant has been scheduled to give access. withdrawn: The grant was withdrawn. rr rr!r/rIr@rJrDrKrSExpiredrTExternallyModifiedrV RequestedrXRevokedrY ScheduledrZ Withdrawn N)r rrrrr activatedactivationFailedapproveddeniedendedr eventTimeexpiredexternallyModified requestedrevoked scheduled withdrawnrrrriris,%i$$[!4)+Y++,>B #Y # #J 2( !9 ! !(A .& ) ! ,%#i##A&) "I " "9a 0'-y--.BAF$i$$[!4) "I " "9b 1'$i$$["5)$i$$["5)rriceZdZdZy)rjz1An event representing that the grant was expired.Nrrrrrjrjs:rrjceZdZdZy)rkz`An event representing that the policy bindings made by this grant were modified externally. Nrrrrrkrkrrkc6eZdZdZej ddZy)r<zFinding represents an issue which prevents PAM from functioning properly for this resource. Fields: iamAccessDenied: PAM's service account is being denied access by Cloud IAM. IAMAccessDeniedr N)r rrrrriamAccessDeniedrrrr<r<r(rr<ceZdZdZej dZej dZejdddZ y) GcpIamAccessad`GcpIamAccess` represents IAM based access control on a Google Cloud resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Fields: resource: Required. Name of the resource. resourceType: Required. The type of this resource. roleBindings: Required. Role bindings that are created on successful grant. r r! RoleBindingrITr N) r rrrrrresource resourceTyper roleBindingsrrrrr+sC #Y " "1 %(&&&q),''' q4H,rrceZdZdZy)GoogleProtobufEmptya!A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } Nrrrrrr<srrceZdZdZGddej ZejddZejddZ ejd Z ejd Z ejd d Zejd ZejddZejdZejdZej&ddZejddZejdZy)GrantaA grant represents a request from a user for obtaining the access specified in an entitlement they are eligible for. Enums: StateValueValuesEnum: Output only. Current state of this grant. Fields: additionalEmailRecipients: Optional. Additional email addresses to notify for all the actions performed on the grant. auditTrail: Output only. Audit trail of access provided by this grant. If unspecified then access was never granted. createTime: Output only. Create time stamp. externallyModified: Output only. Flag set by the PAM system to indicate that policy bindings made by this grant have been modified from outside PAM. After it is set, this flag remains set forever irrespective of the grant state. A `true` value here indicates that PAM no longer has any certainty on the access a user has because of this grant. justification: Optional. Justification of why this access is needed. name: Identifier. Name of this grant. Possible formats: * `organizations/{organization- number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant- id}` * `folders/{folder- number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant- id}` * `projects/{project-id|project- number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant- id}` The last segment of this name (`{grant-id}`) is autogenerated. privilegedAccess: Output only. The access that would be granted by this grant. requestedDuration: Required. The amount of time access is needed for. This value should be less than the `max_request_duration` value of the entitlement. requester: Output only. Username of the user who created this grant. state: Output only. Current state of this grant. timeline: Output only. Timeline of this grant. updateTime: Output only. Update time stamp. cDeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZy)Grant.StateValueValuesEnumaOutput only. Current state of this grant. Values: STATE_UNSPECIFIED: Unspecified state. This value is never returned by the server. APPROVAL_AWAITED: The entitlement had an approval workflow configured and this grant is waiting for the workflow to complete. DENIED: The approval workflow completed with a denied result. No access is granted for this grant. This is a terminal state. SCHEDULED: The approval workflow completed successfully with an approved result or none was configured. Access is provided at an appropriate time. ACTIVATING: Access is being given. ACTIVE: Access was successfully given and is currently active. ACTIVATION_FAILED: The system could not give access due to a non- retriable error. This is a terminal state. EXPIRED: Expired after waiting for the approval workflow to complete. This is a terminal state. REVOKING: Access is being revoked. REVOKED: Access was revoked by a user. This is a terminal state. ENDED: System took back access as the requested duration was over. This is a terminal state. WITHDRAWING: Access is being withdrawn. WITHDRAWN: Grant was withdrawn by the grant owner. This is a terminal state. rr r!rIrJrKrSrTrVrXrYrZrpN)r rrrrLAPPROVAL_AWAITEDDENIED SCHEDULED ACTIVATINGACTIVEACTIVATION_FAILEDEXPIREDREVOKINGREVOKEDENDED WITHDRAWING WITHDRAWNrrrrRrksM4 FIJ FGHG EKIrrRr Tr r4r!rIrJ JustificationrKrSrUrTrVrXrYTimelinerZrpN)r rrrrr[rRradditionalEmailRecipientsr auditTrailr^ BooleanFieldrx justificationrbrcrequestedDuration requesterrerftimelinergrrrrrEs#J'Y^^'R4i33AE%y%%lA6*$y$$Q'*-y--a0()((!<-   q !$+Y++,>B+i++A.#i##A&) )  4b 9% #Y # #J 3($y$$R(*rrc8eZdZdZej ddZy)ra7PAM's service account is being denied access by Cloud IAM. This can be fixed by granting a role that contains the missing permissions to the service account or exempting it from deny policies if they are blocking the access. Fields: missingPermissions: List of permissions that are being denied. r Tr N)r rrrrrmissingPermissionsrrrrrs-y,,Q>rrc4eZdZdZej dZy)raJustification represents a justification for requesting access. Fields: unstructuredJustification: A free form textual justification. The system only ensures that this is not empty. No other kind of validation is performed on the string. r N)r rrrrrunstructuredJustificationrrrrrs4i33A6rrceZdZdZej dddZejdZejddZ y) ListEntitlementsResponsezMessage for response to listing entitlements. Fields: entitlements: The list of entitlements. nextPageToken: A token identifying a page of results the server should return. unreachable: Locations that could not be reached. rFr Tr r!rIN) r rrrrr entitlementsr nextPageToken unreachablerrrrrsE('' q4H,')''*-% %%a$7+rrceZdZdZej dddZejdZejddZ y) ListGrantsResponsezMessage for response to listing grants. Fields: grants: The list of grants. nextPageToken: A token identifying a page of results the server should return. unreachable: Locations that could not be reached. rr Tr r!rIN) r rrrrrgrantsrrrrrrrrsE "9 ! !'1t <&')''*-% %%a$7+rrc^eZdZdZej dddZejdZy)ListLocationsResponsezThe response message for Locations.ListLocations. Fields: locations: A list of locations that matches the specified filter in the request. nextPageToken: The standard List next-page token. Locationr Tr r!N) r rrrrr locationsrrrrrrrs1%i$$ZTB)')''*-rrc^eZdZdZej dZejdddZy)ListOperationsResponsezThe response message for Operations.ListOperations. Fields: nextPageToken: The standard List next-page token. operations: A list of operations that matches the specified filter in the request. r Operationr!Tr N) r rrrrrrr operationsrrrrrs1()''*-%y%%k1tD*rrcpeZdZdZej dGddejZej dGddejZ ejdZ ejddZ ejd Zejdd Zejd Zy ) raoA resource that represents a Google Cloud location. Messages: LabelsValue: Cross-service attributes for the location. For example {"cloud.googleapis.com/region": "us-east1"} MetadataValue: Service-specific metadata. For example the available capacity at the given location. Fields: displayName: The friendly name for this location, typically a nearby city name. For example, "Tokyo". labels: Cross-service attributes for the location. For example {"cloud.googleapis.com/region": "us-east1"} locationId: The canonical id for this location. For example: `"us-east1"`. metadata: Service-specific metadata. For example the available capacity at the given location. name: Resource name for the location, which may vary between implementations. For example: `"projects/example-project/locations/us- east1"` additionalPropertiescdeZdZdZGddej ZejdddZy)Location.LabelsValueaCross-service attributes for the location. For example {"cloud.googleapis.com/region": "us-east1"} Messages: AdditionalProperty: An additional property for a LabelsValue object. Fields: additionalProperties: Additional properties of type LabelsValue cXeZdZdZej dZej dZy)'Location.LabelsValue.AdditionalPropertyzAn additional property for a LabelsValue object. Fields: key: Name of the additional property. value: A string attribute. r r!N)r rrrrrkeyvaluerrrAdditionalPropertyrs-  "I ! !! $c#i##A&errr Tr N r rrrrMessagerrrrrr LabelsValuer s4 'Y.. '29112FTXYrrcdeZdZdZGddej ZejdddZy)Location.MetadataValuea(Service-specific metadata. For example the available capacity at the given location. Messages: AdditionalProperty: An additional property for a MetadataValue object. Fields: additionalProperties: Properties of the object. Contains field @type with type URL. cZeZdZdZej dZejddZy))Location.MetadataValue.AdditionalPropertyAn additional property for a MetadataValue object. Fields: key: Name of the additional property. value: A extra_types.JsonValue attribute. r extra_types.JsonValuer!N r rrrrrrrrrrrrr/0  "I ! !! $c$i$$%B   q4 0$rrc8eZdZdZej ddZy)CPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsGetRequestzA PrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsGetRequest object. Fields: name: Required. Name of the resource. r TrNrrrrrr   q4 0$rrceZdZdZej dZej dZejdejjZ ej dZ ej dd Z y ) DPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsListRequestaA PrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsListRequest object. Fields: filter: Optional. Filtering results. orderBy: Optional. Hint for how to order the results pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent resource which owns the grants. r r!rIvariantrJrKTrNr rrrrrfilterorderBy IntegerFieldVariantINT32pageSize pageTokenrrrrrrs  !9  #& !I ! !! $' #Y # #Ay/@/@/F/F G(#i##A&) 9 T 2&rrc^eZdZdZej ddZejddZy)FPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsRevokeRequestaA PrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsRevokeRequest object. Fields: name: Required. Name of the grant resource which is being revoked. revokeGrantRequest: A RevokeGrantRequest resource to be passed as the request body. r TrRevokeGrantRequestr!N r rrrrrrbrrevokeGrantRequestrrrr%r%s3   q4 0$-y--.BAFrr%c eZdZdZGddej ZejddZejdZ ejdejjZejdZejd d Zy ) FPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsSearchRequestaA PrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsSearchRequest object. Enums: CallerRelationshipValueValuesEnum: Required. Only grants which the caller is related to by this relationship are returned in the response. Fields: callerRelationship: Required. Only grants which the caller is related to by this relationship are returned in the response. filter: Optional. Only grants matching this filter are returned in the response. pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the grant resources. c eZdZdZdZdZdZdZy)hPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsSearchRequest.CallerRelationshipValueValuesEnumRequired. Only grants which the caller is related to by this relationship are returned in the response. Values: CALLER_RELATIONSHIP_TYPE_UNSPECIFIED: Unspecified caller relationship type. HAD_CREATED: The user created this grant by calling `CreateGrant` earlier. CAN_APPROVE: The user is an approver for the entitlement that this grant is parented under and can currently approve/deny it. HAD_APPROVED: The caller had successfully approved/denied this grant earlier. rr r!rINr rrr$CALLER_RELATIONSHIP_TYPE_UNSPECIFIED HAD_CREATED CAN_APPROVE HAD_APPROVEDrrr!CallerRelationshipValueValuesEnumr, ,-(KKLrr3r r!rIrrJrKTrNr rrrrr[r3recallerRelationshiprrrrr r!r"rrrrr*r*s&)..&+y**+NPQR 9  #& #Y # #Ay/@/@/F/F G(#i##A&) 9 T 2&rr*ceZdZdZej dZej dZejdejjZ ej dZ ej dd Z y ) >PrivilegedaccessmanagerFoldersLocationsEntitlementsListRequestaA PrivilegedaccessmanagerFoldersLocationsEntitlementsListRequest object. Fields: filter: Optional. Filtering results. orderBy: Optional. Hint for how to order the results. pageSize: Optional. Requested page size. Server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the entitlement resources. r r!rIrrJrKTrNrrrrr8r8ss  !9  #& !I ! !! $' #Y # #Ay/@/@/F/F G(#i##A&) 9 T 2&rr8ceZdZdZej ddZejddZejdZ y) ?PrivilegedaccessmanagerFoldersLocationsEntitlementsPatchRequestaA PrivilegedaccessmanagerFoldersLocationsEntitlementsPatchRequest object. Fields: entitlement: A Entitlement resource to be passed as the request body. name: Identifier. Name of the entitlement. Possible formats: * `organizations/{organization- number}/locations/{region}/entitlements/{entitlement-id}` * `folders/{folder-number}/locations/{region}/entitlements/{entitlement- id}` * `projects/{project-id|project- number}/locations/{region}/entitlements/{entitlement-id}` updateMask: Required. The list of fields to update. A field is overwritten if, and only if, it is in the mask. Any immutable fields set in the mask are ignored by the server. Repeated fields and map fields are only allowed in the last position of a `paths` string and overwrite the existing values. Hence an update to a repeated field or a map should contain the entire list of values. The fields specified in the update_mask are relative to the resource and not to the request. (e.g. `MaxRequestDuration`; *not* `entitlement.MaxRequestDuration`) A value of '*' for this field refers to full replacement of the resource. rFr r!TrrIN r rrrrrrrrb updateMaskrrrr:r:C,' &&}a8+   q4 0$$y$$Q'*rr:c eZdZdZGddej ZejddZejdZ ejdejjZejdZejd d Zy ) @PrivilegedaccessmanagerFoldersLocationsEntitlementsSearchRequestaA PrivilegedaccessmanagerFoldersLocationsEntitlementsSearchRequest object. Enums: CallerAccessTypeValueValuesEnum: Required. Only entitlements where the calling user has this access are returned. Fields: callerAccessType: Required. Only entitlements where the calling user has this access are returned. filter: Optional. Only entitlements matching this filter are returned in the response. pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the entitlement resources. ceZdZdZdZdZdZy)`PrivilegedaccessmanagerFoldersLocationsEntitlementsSearchRequest.CallerAccessTypeValueValuesEnumjRequired. Only entitlements where the calling user has this access are returned. Values: CALLER_ACCESS_TYPE_UNSPECIFIED: Unspecified access type. GRANT_REQUESTER: The user has access to create grants using this entitlement. GRANT_APPROVER: The user has access to approve/deny grants created under this entitlement. rr r!Nr rrrCALLER_ACCESS_TYPE_UNSPECIFIEDGRANT_REQUESTERGRANT_APPROVERrrrCallerAccessTypeValueValuesEnumrA! &'"ONrrGr r!rIrrJrKTrNr rrrrr[rGrecallerAccessTyperrrrr r!r"rrrrr?r? &   )Y(()JAN 9  #& #Y # #Ay/@/@/F/F G(#i##A&) 9 T 2&rr?c8eZdZdZej ddZy)1PrivilegedaccessmanagerFoldersLocationsGetRequestzsA PrivilegedaccessmanagerFoldersLocationsGetRequest object. Fields: name: Resource name for the location. r TrNrrrrrMrM7rrrMceZdZdZej ddZej dZej ddZejdejj Z ej d Z y ) 2PrivilegedaccessmanagerFoldersLocationsListRequestaA PrivilegedaccessmanagerFoldersLocationsListRequest object. Fields: extraLocationTypes: Optional. Do not use this field. It is unsupported and is ignored unless explicitly documented otherwise. This is primarily for internal usage. filter: A filter to narrow down results to a preferred subset. The filtering language accepts strings like `"displayName=tokyo"`, and is documented in more detail in [AIP-160](https://google.aip.dev/160). name: The resource that owns the locations collection, if applicable. pageSize: The maximum number of results to return. If not set, the service selects a default. pageToken: A page token received from the `next_page_token` field in the response. Send that page token to receive the subsequent page. r Tr r!rIrrJrrKNr rrrrrextraLocationTypesrrbrrr r!r"rrrrOrOAv -y,,Q> 9  #&   q4 0$ #Y # #Ay/@/@/F/F G(#i##A&)rrOc8eZdZdZej ddZy)>PrivilegedaccessmanagerFoldersLocationsOperationsDeleteRequestzA PrivilegedaccessmanagerFoldersLocationsOperationsDeleteRequest object. Fields: name: The name of the operation resource to be deleted. r TrNrrrrrTrTYrrrTc8eZdZdZej ddZy);PrivilegedaccessmanagerFoldersLocationsOperationsGetRequestzA PrivilegedaccessmanagerFoldersLocationsOperationsGetRequest object. Fields: name: The name of the operation resource. r TrNrrrrrVrVcrrrVceZdZdZej dZej ddZejdejjZ ej dZ y ) B   q4 0$rrlc8eZdZdZej ddZy)IPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsGetRequestzA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsGetRequest object. Fields: name: Required. Name of the resource. r TrNrrrrrnrns   q4 0$rrnceZdZdZej dZej dZejdejjZ ej dZ ej dd Z y ) JPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsListRequestaA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsListRequest object. Fields: filter: Optional. Filtering results. orderBy: Optional. Hint for how to order the results pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent resource which owns the grants. r r!rIrrJrKTrNrrrrrprp'ss  !9  #& !I ! !! $' #Y # #Ay/@/@/F/F G(#i##A&) 9 T 2&rrpc^eZdZdZej ddZejddZy)LPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsRevokeRequesta A PrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsRevokeRequest object. Fields: name: Required. Name of the grant resource which is being revoked. revokeGrantRequest: A RevokeGrantRequest resource to be passed as the request body. r Trr&r!Nr'rrrrrrr=3   q4 0$-y--.BAFrrrc eZdZdZGddej ZejddZejdZ ejdejjZejdZejd d Zy ) LPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsSearchRequesta"A PrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsSearchRequest object. Enums: CallerRelationshipValueValuesEnum: Required. Only grants which the caller is related to by this relationship are returned in the response. Fields: callerRelationship: Required. Only grants which the caller is related to by this relationship are returned in the response. filter: Optional. Only grants matching this filter are returned in the response. pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the grant resources. c eZdZdZdZdZdZdZy)nPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsSearchRequest.CallerRelationshipValueValuesEnumr-rr r!rINr.rrrr3rwar4rr3r r!rIrrJrKTrNr5rrrruruL()..&+y**+NPQR 9  #& #Y # #Ay/@/@/F/F G(#i##A&) 9 T 2&rruceZdZdZej dZej dZejdejjZ ej dZ ej dd Z y ) DPrivilegedaccessmanagerOrganizationsLocationsEntitlementsListRequestaA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsListRequest object. Fields: filter: Optional. Filtering results. orderBy: Optional. Hint for how to order the results. pageSize: Optional. Requested page size. Server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the entitlement resources. r r!rIrrJrKTrNrrrrrzrz{r#rrzceZdZdZej ddZejddZejdZ y) EPrivilegedaccessmanagerOrganizationsLocationsEntitlementsPatchRequestaA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsPatchRequest object. Fields: entitlement: A Entitlement resource to be passed as the request body. name: Identifier. Name of the entitlement. Possible formats: * `organizations/{organization- number}/locations/{region}/entitlements/{entitlement-id}` * `folders/{folder-number}/locations/{region}/entitlements/{entitlement- id}` * `projects/{project-id|project- number}/locations/{region}/entitlements/{entitlement-id}` updateMask: Required. The list of fields to update. A field is overwritten if, and only if, it is in the mask. Any immutable fields set in the mask are ignored by the server. Repeated fields and map fields are only allowed in the last position of a `paths` string and overwrite the existing values. Hence an update to a repeated field or a map should contain the entire list of values. The fields specified in the update_mask are relative to the resource and not to the request. (e.g. `MaxRequestDuration`; *not* `entitlement.MaxRequestDuration`) A value of '*' for this field refers to full replacement of the resource. rFr r!TrrINr;rrrr|r|r=rr|c eZdZdZGddej ZejddZejdZ ejdejjZejdZejd d Zy ) FPrivilegedaccessmanagerOrganizationsLocationsEntitlementsSearchRequestaA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsSearchRequest object. Enums: CallerAccessTypeValueValuesEnum: Required. Only entitlements where the calling user has this access are returned. Fields: callerAccessType: Required. Only entitlements where the calling user has this access are returned. filter: Optional. Only entitlements matching this filter are returned in the response. pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the entitlement resources. ceZdZdZdZdZdZy)fPrivilegedaccessmanagerOrganizationsLocationsEntitlementsSearchRequest.CallerAccessTypeValueValuesEnumrBrr r!NrCrrrrGrrHrrGr r!rIrrJrKTrNrIrrrr~r~rKrr~c8eZdZdZej ddZy)7PrivilegedaccessmanagerOrganizationsLocationsGetRequestzyA PrivilegedaccessmanagerOrganizationsLocationsGetRequest object. Fields: name: Resource name for the location. r TrNrrrrrrrrrceZdZdZej ddZej dZej ddZejdejj Z ej d Z y ) 8PrivilegedaccessmanagerOrganizationsLocationsListRequesta%A PrivilegedaccessmanagerOrganizationsLocationsListRequest object. Fields: extraLocationTypes: Optional. Do not use this field. It is unsupported and is ignored unless explicitly documented otherwise. This is primarily for internal usage. filter: A filter to narrow down results to a preferred subset. The filtering language accepts strings like `"displayName=tokyo"`, and is documented in more detail in [AIP-160](https://google.aip.dev/160). name: The resource that owns the locations collection, if applicable. pageSize: The maximum number of results to return. If not set, the service selects a default. pageToken: A page token received from the `next_page_token` field in the response. Send that page token to receive the subsequent page. r Tr r!rIrrJrrKNrPrrrrrrRrrc8eZdZdZej ddZy)DPrivilegedaccessmanagerOrganizationsLocationsOperationsDeleteRequestzA PrivilegedaccessmanagerOrganizationsLocationsOperationsDeleteRequest object. Fields: name: The name of the operation resource to be deleted. r TrNrrrrrrrrrc8eZdZdZej ddZy)APrivilegedaccessmanagerOrganizationsLocationsOperationsGetRequestzA PrivilegedaccessmanagerOrganizationsLocationsOperationsGetRequest object. Fields: name: The name of the operation resource. r TrNrrrrrrrrrceZdZdZej dZej ddZejdejjZ ej dZ y ) BPrivilegedaccessmanagerOrganizationsLocationsOperationsListRequestaA PrivilegedaccessmanagerOrganizationsLocationsOperationsListRequest object. Fields: filter: The standard list filter. name: The name of the operation's parent resource. pageSize: The standard list page size. pageToken: The standard list page token. r r!TrrIrrJNrYrrrrrsa !9  #&   q4 0$ #Y # #Ay/@/@/F/F G(#i##A&)rrc8eZdZdZej ddZy)DPrivilegedaccessmanagerProjectsLocationsCheckOnboardingStatusRequestaA PrivilegedaccessmanagerProjectsLocationsCheckOnboardingStatusRequest object. Fields: parent: Required. The resource for which the onboarding status should be checked. Should be in one of the following formats: * `projects/{project-number|project-id}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `organizations/{organization-number}/locations/{region}` r TrNrrrrrrrrrceZdZdZej ddZejdZejddZ ejdZ y ) APrivilegedaccessmanagerProjectsLocationsEntitlementsCreateRequestaA PrivilegedaccessmanagerProjectsLocationsEntitlementsCreateRequest object. Fields: entitlement: A Entitlement resource to be passed as the request body. entitlementId: Required. The ID to use for this entitlement. This becomes the last part of the resource name. This value should be 4-63 characters in length, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other entitlements under the specified `parent`. parent: Required. Name of the parent resource for the entitlement. Possible formats: * `organizations/{organization- number}/locations/{region}` * `folders/{folder- number}/locations/{region}` * `projects/{project-id|project- number}/locations/{region}` requestId: Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request and returns the previous operation's response. This prevents clients from accidentally creating duplicate entitlements. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). rFr r!rITrrJNrrrrrr.rrrceZdZdZej dZejddZejdZ y)APrivilegedaccessmanagerProjectsLocationsEntitlementsDeleteRequestaA PrivilegedaccessmanagerProjectsLocationsEntitlementsDeleteRequest object. Fields: force: Optional. If set to true, any child grant under this entitlement is also deleted. (Otherwise, the request only works if the entitlement has no child grant.) name: Required. Name of the resource. requestId: Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). r r!TrrINrrrrrrRrrrc8eZdZdZej ddZy)>PrivilegedaccessmanagerProjectsLocationsEntitlementsGetRequestzA PrivilegedaccessmanagerProjectsLocationsEntitlementsGetRequest object. Fields: name: Required. Name of the resource. r TrNrrrrrrlrrrc^eZdZdZej ddZejddZy)HPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsApproveRequesta A PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsApproveRequest object. Fields: approveGrantRequest: A ApproveGrantRequest resource to be passed as the request body. name: Required. Name of the grant resource which is being approved. r*r r!TrNrrrrrrvr rrceZdZdZej ddZejddZejdZ y) GPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsCreateRequesta2A PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsCreateRequest object. Fields: grant: A Grant resource to be passed as the request body. parent: Required. Name of the parent entitlement for which this grant is being requested. requestId: Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. This prevents clients from accidentally creating duplicate grants. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). rr r!TrrINr rrrrrrjrrc^eZdZdZej ddZejddZy)EPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsDenyRequestzA PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsDenyRequest object. Fields: denyGrantRequest: A DenyGrantRequest resource to be passed as the request body. name: Required. Name of the grant resource which is being denied. rBr r!TrNrrrrrrrrrc8eZdZdZej ddZy)DPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsGetRequestzA PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsGetRequest object. Fields: name: Required. Name of the resource. r TrNrrrrrrrrrceZdZdZej dZej dZejdejjZ ej dZ ej dd Z y ) EPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsListRequestaA PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsListRequest object. Fields: filter: Optional. Filtering results. orderBy: Optional. Hint for how to order the results pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent resource which owns the grants. r r!rIrrJrKTrNrrrrrrr#rrc^eZdZdZej ddZejddZy)GPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsRevokeRequestaA PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsRevokeRequest object. Fields: name: Required. Name of the grant resource which is being revoked. revokeGrantRequest: A RevokeGrantRequest resource to be passed as the request body. r Trr&r!Nr'rrrrrrsrrc eZdZdZGddej ZejddZejdZ ejdejjZejdZejd d Zy ) GPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsSearchRequestaA PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsSearchRequest object. Enums: CallerRelationshipValueValuesEnum: Required. Only grants which the caller is related to by this relationship are returned in the response. Fields: callerRelationship: Required. Only grants which the caller is related to by this relationship are returned in the response. filter: Optional. Only grants matching this filter are returned in the response. pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the grant resources. c eZdZdZdZdZdZdZy)iPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsSearchRequest.CallerRelationshipValueValuesEnumr-rr r!rINr.rrrr3rr4rr3r r!rIrrJrKTrNr5rrrrrrxrrceZdZdZej dZej dZejdejjZ ej dZ ej dd Z y ) ?PrivilegedaccessmanagerProjectsLocationsEntitlementsListRequestaA PrivilegedaccessmanagerProjectsLocationsEntitlementsListRequest object. Fields: filter: Optional. Filtering results. orderBy: Optional. Hint for how to order the results. pageSize: Optional. Requested page size. Server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the entitlement resources. r r!rIrrJrKTrNrrrrrr r#rrceZdZdZej ddZejddZejdZ y) @PrivilegedaccessmanagerProjectsLocationsEntitlementsPatchRequestaA PrivilegedaccessmanagerProjectsLocationsEntitlementsPatchRequest object. Fields: entitlement: A Entitlement resource to be passed as the request body. name: Identifier. Name of the entitlement. Possible formats: * `organizations/{organization- number}/locations/{region}/entitlements/{entitlement-id}` * `folders/{folder-number}/locations/{region}/entitlements/{entitlement- id}` * `projects/{project-id|project- number}/locations/{region}/entitlements/{entitlement-id}` updateMask: Required. The list of fields to update. A field is overwritten if, and only if, it is in the mask. Any immutable fields set in the mask are ignored by the server. Repeated fields and map fields are only allowed in the last position of a `paths` string and overwrite the existing values. Hence an update to a repeated field or a map should contain the entire list of values. The fields specified in the update_mask are relative to the resource and not to the request. (e.g. `MaxRequestDuration`; *not* `entitlement.MaxRequestDuration`) A value of '*' for this field refers to full replacement of the resource. rFr r!TrrINr;rrrrr!r=rrc eZdZdZGddej ZejddZejdZ ejdejjZejdZejd d Zy ) APrivilegedaccessmanagerProjectsLocationsEntitlementsSearchRequestaA PrivilegedaccessmanagerProjectsLocationsEntitlementsSearchRequest object. Enums: CallerAccessTypeValueValuesEnum: Required. Only entitlements where the calling user has this access are returned. Fields: callerAccessType: Required. Only entitlements where the calling user has this access are returned. filter: Optional. Only entitlements matching this filter are returned in the response. pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the entitlement resources. ceZdZdZdZdZdZy)aPrivilegedaccessmanagerProjectsLocationsEntitlementsSearchRequest.CallerAccessTypeValueValuesEnumrBrr r!NrCrrrrGrQrHrrGr r!rIrrJrKTrNrIrrrrr=rKrrc8eZdZdZej ddZy)2PrivilegedaccessmanagerProjectsLocationsGetRequestztA PrivilegedaccessmanagerProjectsLocationsGetRequest object. Fields: name: Resource name for the location. r TrNrrrrrrgrrrceZdZdZej ddZej dZej ddZejdejj Z ej d Z y ) 3PrivilegedaccessmanagerProjectsLocationsListRequesta A PrivilegedaccessmanagerProjectsLocationsListRequest object. Fields: extraLocationTypes: Optional. Do not use this field. It is unsupported and is ignored unless explicitly documented otherwise. This is primarily for internal usage. filter: A filter to narrow down results to a preferred subset. The filtering language accepts strings like `"displayName=tokyo"`, and is documented in more detail in [AIP-160](https://google.aip.dev/160). name: The resource that owns the locations collection, if applicable. pageSize: The maximum number of results to return. If not set, the service selects a default. pageToken: A page token received from the `next_page_token` field in the response. Send that page token to receive the subsequent page. r Tr r!rIrrJrrKNrPrrrrrqrRrrc8eZdZdZej ddZy)?PrivilegedaccessmanagerProjectsLocationsOperationsDeleteRequestzA PrivilegedaccessmanagerProjectsLocationsOperationsDeleteRequest object. Fields: name: The name of the operation resource to be deleted. r TrNrrrrrrrrrc8eZdZdZej ddZy)" to include in api requests. uploadType: Legacy upload protocol for media (e.g. "media", "multipart"). upload_protocol: Upload protocol for media (e.g. "raw", "multipart"). ceZdZdZdZdZdZy)*StandardQueryParameters.AltValueValuesEnumzData format for response. Values: json: Responses with Content-Type of application/json media: Media download with context-dependent Content-Type proto: Responses with Content-Type of application/x-protobuf rr r!N)r rrrjsonmediaprotorrrAltValueValuesEnumr3s D E ErrceZdZdZdZdZy)-StandardQueryParameters.FXgafvValueValuesEnumzVV1 error format. Values: _1: v1 error format _2: v2 error format rr N)r rrr_1_2rrrFXgafvValueValuesEnumr?s B Brrr r!rIr)defaultrJrKrSrTrVTrXrYrZrpN)r rrrrr[rrref__xgafvr access_tokenaltcallbackfieldsr oauth_tokenr prettyPrint quotaUsertrace uploadTypeupload_protocolrrrrrs 4 9>>  inn !Y !8! <(&&&q), 0!VD# "Y " "1 %( 9  #& a #% %%a(+& &&q$7+#i##A&) )   #%$y$$R(*)I))"-/rrceZdZdZej dGddejZejdejjZ ejddd Zejd Zy ) raThe `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). Messages: DetailsValueListEntry: A DetailsValueListEntry object. Fields: code: The status code, which should be an enum value of google.rpc.Code. details: A list of messages that carry the error details. There is a common set of message types for APIs to use. message: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. rcdeZdZdZGddej ZejdddZy)Status.DetailsValueListEntryzA DetailsValueListEntry object. Messages: AdditionalProperty: An additional property for a DetailsValueListEntry object. Fields: additionalProperties: Properties of the object. Contains field @type with type URL. cZeZdZdZej dZejddZy)/Status.DetailsValueListEntry.AdditionalPropertyzAn additional property for a DetailsValueListEntry object. Fields: key: Name of the additional property. value: A extra_types.JsonValue attribute. r rr!Nrrrrrrxrrrr Tr NrrrrDetailsValueListEntryrkrrrr rr!Tr rIN)r rrrrrrrrrrr coderdetailsrmessagerrrrrWs&"8!!"89Zi//Z:Z2   9+<+<+B+B C$ "I " "#:A M' !I ! !! $'rrceZdZdZej dej jZejddZ ejdddZ y ) ra9Step represents a logical step in a manual approval workflow. Fields: approvalsNeeded: Required. How many users from the above list need to approve. If there aren't enough distinct users in the list, then the workflow indefinitely blocks. Should always be greater than 0. 1 is the only supported value. approverEmailRecipients: Optional. Additional email addresses to be notified when a grant is pending approval. approvers: Optional. The potential set of approvers in this step. This list must contain at most one entry. r rr!Tr r rIN) r rrrrrrr approvalsNeededrapproverEmailRecipientsr approversrrrrrsU +I**1i6G6G6M6MN/1I11!dC$i$$%91tL)rrc:eZdZdZej dddZy)raHTimeline of a grant describing what happened to it and when. Fields: events: Output only. The events that have occurred on this grant. This list contains entries in the same order as they occurred. The first entry is always be of type `Requested` and there is always at least one entry in this array. rir Tr N)r rrrrreventsrrrrrs "9 ! !'1t <&rrceZdZdZy)rzEThe requester has to provide a justification in the form of a string.NrrrrrrsNrrceZdZdZy)roz3An event representing that the grant was withdrawn.Nrrrrroror9rrorz$.xgafvr1r2N)wr __future__rapitools.base.protorpcliterrapitools.base.pyrrpackagerr rrr r%r*r/r4r8r;r@rBrDrFrirjrkr<rrrrrrrrrrr&rrrrUrrrrrr rrrr%r*r8r:r?rMrOrTrVrXr\r_rarcrergrirlrnrprrrurzr|r~rrrrrrrrrrrrrrrrrrrrrrrrrlrWr&rmrrnrrrrrrrroAddCustomJsonFieldMappingAddCustomJsonEnumMappingrrrrrs "'<%( $ 7** 7J !!J.y((. EI$5$5 E Ay(( A $)++ $ $y  $ ."" .=Y..= ,I$5$5 , $Y   $ $y(( $9I  9E))##E)P"6I  "6J;i;** Ai AI9$$I")++Z)I  Z)z ?i'' ? 7I%% 7 8y00 8 8** 8 +I-- + EY.. EM"y  M"`;i'';09$$i8 !!i8X" ))"6;y((; 3)J[J[ 3!'yGXGX!'H'yGXGX'41IDUDU1 1iN_N_ 1'YM^M^'4 19K\K\ 11)J[J[139K\K\3* GYM^M^ G+3YM^M^+3\3YEVEV3((iFWFW(8'3yGXGX'3T1 8I8I1'9J9J'01YEVEV11)BSBS1 '9CTCT ' 1Y5F5F 1 3PYPaPa 3 !'YM^M^!'H'YM^M^'41)J[J[1 1T]TeTe 1'S\SdSd'6 1QZQbQb 1 1PYPaPa 13QZQbQb3, GS\SdSd G,3S\SdSd,3^39K\K\3*(IL]L](8'3YM^M^'3T1i>O>O1'y?P?P'019K\K\11 HYHY1'IZIZ'" 39K\K\ 3!' HYHY!'H' HYHY'41YEVEV1 1yO`O` 1'iN_N_'6 1IL]L] 119K\K\13IL]L]3* GiN_N_ G,3iN_N_,3^3iFWFW3*(yGXGX(8'3 HYHY'3T19J9J1'):K:K'01iFWFW119CTCT1 'IDUDU ' ( !!( ;9#4#4 ; $**$ $i $")##"$ 5 !! 5 +!2!2 + +9,, +<.i//<.~0%Y  0%fM9  M& =y  =O9$$O= !!=#""Z4!!!114>!!!114>r