AccessBoundary

An access boundary defines the upper bound of what a principal may access. It includes a list of access boundary rules that each defines the resource that may be allowed as well as permissions that may be used on those resources.

JSON representation
{ "accessBoundaryRules": [ { object (`AccessBoundaryRule`) } ] }

Fields

Fields
`accessBoundaryRules[]`	`object (AccessBoundaryRule)` A list of access boundary rules which defines the upper bound of the permission a principal may carry. If multiple rules are specified, the effective access boundary is the union of all the access boundary rules attached. One access boundary can contain at most 10 rules.

accessBoundaryRules[]

object (AccessBoundaryRule)

A list of access boundary rules which defines the upper bound of the permission a principal may carry. If multiple rules are specified, the effective access boundary is the union of all the access boundary rules attached.

One access boundary can contain at most 10 rules.

AccessBoundaryRule

An access boundary rule defines an upper bound of IAM permissions on a single resource.

JSON representation
{ "availableResource": string, "availablePermissions": [ string ], "availabilityCondition": { object (`Expr`) } }

Fields

Fields
`availableResource`	`string` The full resource name of a Google Cloud resource entity. The format definition is at https://cloud.google.com/apis/design/resource_names. Example value: `//cloudresourcemanager.googleapis.com/projects/my-project`.
`availablePermissions[]`	`string` A list of permissions that may be allowed for use on the specified resource. The only supported values in the list are IAM roles, following the format of `google.iam.v1.Binding.role`. Example value: `inRole:roles/logging.viewer` for predefined roles and `inRole:organizations/{ORGANIZATION_ID}/roles/logging.viewer` for custom roles.
`availabilityCondition`	`object (Expr)` The availability condition further constrains the access allowed by the access boundary rule. If the condition evaluates to `true`, then this access boundary rule will provide access to the specified resource, assuming the principal has the required permissions for the resource. If the condition does not evaluate to `true`, then access to the specified resource will not be available. Note that all access boundary rules in an access boundary are evaluated together as a union. As such, another access boundary rule may allow access to the resource, even if this access boundary rule does not allow access. To learn which resources support conditions in their IAM policies, see the IAM documentation. The maximum length of the `expression` field is 2048 characters.

availableResource

string

The full resource name of a Google Cloud resource entity. The format definition is at https://cloud.google.com/apis/design/resource_names.

Example value: //cloudresourcemanager.googleapis.com/projects/my-project.

availablePermissions[]

string

A list of permissions that may be allowed for use on the specified resource.

The only supported values in the list are IAM roles, following the format of google.iam.v1.Binding.role.

Example value: inRole:roles/logging.viewer for predefined roles and inRole:organizations/{ORGANIZATION_ID}/roles/logging.viewer for custom roles.

availabilityCondition

object (Expr)

The availability condition further constrains the access allowed by the access boundary rule.

If the condition evaluates to true, then this access boundary rule will provide access to the specified resource, assuming the principal has the required permissions for the resource.

If the condition does not evaluate to true, then access to the specified resource will not be available. Note that all access boundary rules in an access boundary are evaluated together as a union. As such, another access boundary rule may allow access to the resource, even if this access boundary rule does not allow access.

To learn which resources support conditions in their IAM policies, see the IAM documentation.

The maximum length of the expression field is 2048 characters.