Package com.google.cloud.asset.v1

Class IamPolicyAnalysisQuery.Options.Builder

    • Method Detail

      • getDescriptor

        public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

      • internalGetFieldAccessorTable

        protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
        Specified by:
        internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3.Builder<IamPolicyAnalysisQuery.Options.Builder>

      • getDescriptorForType

        public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
        Specified by:
        getDescriptorForType in interface com.google.protobuf.Message.Builder
        Specified by:
        getDescriptorForType in interface com.google.protobuf.MessageOrBuilder
        Overrides:
        getDescriptorForType in class com.google.protobuf.GeneratedMessageV3.Builder<IamPolicyAnalysisQuery.Options.Builder>

      • getDefaultInstanceForType

        public IamPolicyAnalysisQuery.Options getDefaultInstanceForType()
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder

      • build

        public IamPolicyAnalysisQuery.Options build()
        Specified by:
        build in interface com.google.protobuf.Message.Builder
        Specified by:
        build in interface com.google.protobuf.MessageLite.Builder

      • buildPartial

        public IamPolicyAnalysisQuery.Options buildPartial()
        Specified by:
        buildPartial in interface com.google.protobuf.Message.Builder
        Specified by:
        buildPartial in interface com.google.protobuf.MessageLite.Builder

      • isInitialized

        public final boolean isInitialized()
        Specified by:
        isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
        Overrides:
        isInitialized in class com.google.protobuf.GeneratedMessageV3.Builder<IamPolicyAnalysisQuery.Options.Builder>

      • getExpandGroups

        public boolean getExpandGroups()
         Optional. If true, the identities section of the result will expand any
 Google groups appearing in an IAM policy binding.

 If
 [IamPolicyAnalysisQuery.identity_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.identity_selector]
 is specified, the identity in the result will be determined by the
 selector, and this flag is not allowed to set.

 If true, the default max expansion per group is 1000 for
 AssetService.AnalyzeIamPolicy][].

 Default is false.
        bool expand_groups = 1 [(.google.api.field_behavior) = OPTIONAL];
        Specified by:
        getExpandGroups in interface IamPolicyAnalysisQuery.OptionsOrBuilder
        Returns:
        The expandGroups.

      • setExpandGroups

        public IamPolicyAnalysisQuery.Options.Builder setExpandGroups​(boolean value)
         Optional. If true, the identities section of the result will expand any
 Google groups appearing in an IAM policy binding.

 If
 [IamPolicyAnalysisQuery.identity_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.identity_selector]
 is specified, the identity in the result will be determined by the
 selector, and this flag is not allowed to set.

 If true, the default max expansion per group is 1000 for
 AssetService.AnalyzeIamPolicy][].

 Default is false.
        bool expand_groups = 1 [(.google.api.field_behavior) = OPTIONAL];
        Parameters:
        value - The expandGroups to set.
        Returns:
        This builder for chaining.

      • clearExpandGroups

        public IamPolicyAnalysisQuery.Options.Builder clearExpandGroups()
         Optional. If true, the identities section of the result will expand any
 Google groups appearing in an IAM policy binding.

 If
 [IamPolicyAnalysisQuery.identity_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.identity_selector]
 is specified, the identity in the result will be determined by the
 selector, and this flag is not allowed to set.

 If true, the default max expansion per group is 1000 for
 AssetService.AnalyzeIamPolicy][].

 Default is false.
        bool expand_groups = 1 [(.google.api.field_behavior) = OPTIONAL];
        Returns:
        This builder for chaining.

      • getExpandRoles

        public boolean getExpandRoles()
         Optional. If true, the access section of result will expand any roles
 appearing in IAM policy bindings to include their permissions.

 If
 [IamPolicyAnalysisQuery.access_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.access_selector]
 is specified, the access section of the result will be determined by the
 selector, and this flag is not allowed to set.

 Default is false.
        bool expand_roles = 2 [(.google.api.field_behavior) = OPTIONAL];
        Specified by:
        getExpandRoles in interface IamPolicyAnalysisQuery.OptionsOrBuilder
        Returns:
        The expandRoles.

      • setExpandRoles

        public IamPolicyAnalysisQuery.Options.Builder setExpandRoles​(boolean value)
         Optional. If true, the access section of result will expand any roles
 appearing in IAM policy bindings to include their permissions.

 If
 [IamPolicyAnalysisQuery.access_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.access_selector]
 is specified, the access section of the result will be determined by the
 selector, and this flag is not allowed to set.

 Default is false.
        bool expand_roles = 2 [(.google.api.field_behavior) = OPTIONAL];
        Parameters:
        value - The expandRoles to set.
        Returns:
        This builder for chaining.

      • clearExpandRoles

        public IamPolicyAnalysisQuery.Options.Builder clearExpandRoles()
         Optional. If true, the access section of result will expand any roles
 appearing in IAM policy bindings to include their permissions.

 If
 [IamPolicyAnalysisQuery.access_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.access_selector]
 is specified, the access section of the result will be determined by the
 selector, and this flag is not allowed to set.

 Default is false.
        bool expand_roles = 2 [(.google.api.field_behavior) = OPTIONAL];
        Returns:
        This builder for chaining.

      • getExpandResources

        public boolean getExpandResources()
         Optional. If true and
 [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector]
 is not specified, the resource section of the result will expand any
 resource attached to an IAM policy to include resources lower in the
 resource hierarchy.

 For example, if the request analyzes for which resources user A has
 permission P, and the results include an IAM policy with P on a Google
 Cloud folder, the results will also include resources in that folder with
 permission P.

 If true and
 [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector]
 is specified, the resource section of the result will expand the
 specified resource to include resources lower in the resource hierarchy.
 Only project or lower resources are supported. Folder and organization
 resources cannot be used together with this option.

 For example, if the request analyzes for which users have permission P on
 a Google Cloud project with this option enabled, the results will include
 all users who have permission P on that project or any lower resource.

 If true, the default max expansion per resource is 1000 for
 AssetService.AnalyzeIamPolicy][] and 100000 for
 AssetService.AnalyzeIamPolicyLongrunning][].

 Default is false.
        bool expand_resources = 3 [(.google.api.field_behavior) = OPTIONAL];
        Specified by:
        getExpandResources in interface IamPolicyAnalysisQuery.OptionsOrBuilder
        Returns:
        The expandResources.

      • setExpandResources

        public IamPolicyAnalysisQuery.Options.Builder setExpandResources​(boolean value)
         Optional. If true and
 [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector]
 is not specified, the resource section of the result will expand any
 resource attached to an IAM policy to include resources lower in the
 resource hierarchy.

 For example, if the request analyzes for which resources user A has
 permission P, and the results include an IAM policy with P on a Google
 Cloud folder, the results will also include resources in that folder with
 permission P.

 If true and
 [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector]
 is specified, the resource section of the result will expand the
 specified resource to include resources lower in the resource hierarchy.
 Only project or lower resources are supported. Folder and organization
 resources cannot be used together with this option.

 For example, if the request analyzes for which users have permission P on
 a Google Cloud project with this option enabled, the results will include
 all users who have permission P on that project or any lower resource.

 If true, the default max expansion per resource is 1000 for
 AssetService.AnalyzeIamPolicy][] and 100000 for
 AssetService.AnalyzeIamPolicyLongrunning][].

 Default is false.
        bool expand_resources = 3 [(.google.api.field_behavior) = OPTIONAL];
        Parameters:
        value - The expandResources to set.
        Returns:
        This builder for chaining.

      • clearExpandResources

        public IamPolicyAnalysisQuery.Options.Builder clearExpandResources()
         Optional. If true and
 [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector]
 is not specified, the resource section of the result will expand any
 resource attached to an IAM policy to include resources lower in the
 resource hierarchy.

 For example, if the request analyzes for which resources user A has
 permission P, and the results include an IAM policy with P on a Google
 Cloud folder, the results will also include resources in that folder with
 permission P.

 If true and
 [IamPolicyAnalysisQuery.resource_selector][google.cloud.asset.v1.IamPolicyAnalysisQuery.resource_selector]
 is specified, the resource section of the result will expand the
 specified resource to include resources lower in the resource hierarchy.
 Only project or lower resources are supported. Folder and organization
 resources cannot be used together with this option.

 For example, if the request analyzes for which users have permission P on
 a Google Cloud project with this option enabled, the results will include
 all users who have permission P on that project or any lower resource.

 If true, the default max expansion per resource is 1000 for
 AssetService.AnalyzeIamPolicy][] and 100000 for
 AssetService.AnalyzeIamPolicyLongrunning][].

 Default is false.
        bool expand_resources = 3 [(.google.api.field_behavior) = OPTIONAL];
        Returns:
        This builder for chaining.

      • getOutputResourceEdges

        public boolean getOutputResourceEdges()
         Optional. If true, the result will output the relevant parent/child
 relationships between resources. Default is false.
        bool output_resource_edges = 4 [(.google.api.field_behavior) = OPTIONAL];
        Specified by:
        getOutputResourceEdges in interface IamPolicyAnalysisQuery.OptionsOrBuilder
        Returns:
        The outputResourceEdges.

      • setOutputResourceEdges

        public IamPolicyAnalysisQuery.Options.Builder setOutputResourceEdges​(boolean value)
         Optional. If true, the result will output the relevant parent/child
 relationships between resources. Default is false.
        bool output_resource_edges = 4 [(.google.api.field_behavior) = OPTIONAL];
        Parameters:
        value - The outputResourceEdges to set.
        Returns:
        This builder for chaining.

      • clearOutputResourceEdges

        public IamPolicyAnalysisQuery.Options.Builder clearOutputResourceEdges()
         Optional. If true, the result will output the relevant parent/child
 relationships between resources. Default is false.
        bool output_resource_edges = 4 [(.google.api.field_behavior) = OPTIONAL];
        Returns:
        This builder for chaining.

      • getOutputGroupEdges

        public boolean getOutputGroupEdges()
         Optional. If true, the result will output the relevant membership
 relationships between groups and other groups, and between groups and
 principals. Default is false.
        bool output_group_edges = 5 [(.google.api.field_behavior) = OPTIONAL];
        Specified by:
        getOutputGroupEdges in interface IamPolicyAnalysisQuery.OptionsOrBuilder
        Returns:
        The outputGroupEdges.

      • setOutputGroupEdges

        public IamPolicyAnalysisQuery.Options.Builder setOutputGroupEdges​(boolean value)
         Optional. If true, the result will output the relevant membership
 relationships between groups and other groups, and between groups and
 principals. Default is false.
        bool output_group_edges = 5 [(.google.api.field_behavior) = OPTIONAL];
        Parameters:
        value - The outputGroupEdges to set.
        Returns:
        This builder for chaining.

      • clearOutputGroupEdges

        public IamPolicyAnalysisQuery.Options.Builder clearOutputGroupEdges()
         Optional. If true, the result will output the relevant membership
 relationships between groups and other groups, and between groups and
 principals. Default is false.
        bool output_group_edges = 5 [(.google.api.field_behavior) = OPTIONAL];
        Returns:
        This builder for chaining.

      • getAnalyzeServiceAccountImpersonation

        public boolean getAnalyzeServiceAccountImpersonation()
         Optional. If true, the response will include access analysis from
 identities to resources via service account impersonation. This is a very
 expensive operation, because many derived queries will be executed. We
 highly recommend you use
 [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning]
 RPC instead.

 For example, if the request analyzes for which resources user A has
 permission P, and there's an IAM policy states user A has
 iam.serviceAccounts.getAccessToken permission to a service account SA,
 and there's another IAM policy states service account SA has permission P
 to a Google Cloud folder F, then user A potentially has access to the
 Google Cloud folder F. And those advanced analysis results will be
 included in
 [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].

 Another example, if the request analyzes for who has
 permission P to a Google Cloud folder F, and there's an IAM policy states
 user A has iam.serviceAccounts.actAs permission to a service account SA,
 and there's another IAM policy states service account SA has permission P
 to the Google Cloud folder F, then user A potentially has access to the
 Google Cloud folder F. And those advanced analysis results will be
 included in
 [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].

 Only the following permissions are considered in this analysis:

 * `iam.serviceAccounts.actAs`
 * `iam.serviceAccounts.signBlob`
 * `iam.serviceAccounts.signJwt`
 * `iam.serviceAccounts.getAccessToken`
 * `iam.serviceAccounts.getOpenIdToken`
 * `iam.serviceAccounts.implicitDelegation`

 Default is false.
        bool analyze_service_account_impersonation = 6 [(.google.api.field_behavior) = OPTIONAL];
        Specified by:
        getAnalyzeServiceAccountImpersonation in interface IamPolicyAnalysisQuery.OptionsOrBuilder
        Returns:
        The analyzeServiceAccountImpersonation.

      • setAnalyzeServiceAccountImpersonation

        public IamPolicyAnalysisQuery.Options.Builder setAnalyzeServiceAccountImpersonation​(boolean value)
         Optional. If true, the response will include access analysis from
 identities to resources via service account impersonation. This is a very
 expensive operation, because many derived queries will be executed. We
 highly recommend you use
 [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning]
 RPC instead.

 For example, if the request analyzes for which resources user A has
 permission P, and there's an IAM policy states user A has
 iam.serviceAccounts.getAccessToken permission to a service account SA,
 and there's another IAM policy states service account SA has permission P
 to a Google Cloud folder F, then user A potentially has access to the
 Google Cloud folder F. And those advanced analysis results will be
 included in
 [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].

 Another example, if the request analyzes for who has
 permission P to a Google Cloud folder F, and there's an IAM policy states
 user A has iam.serviceAccounts.actAs permission to a service account SA,
 and there's another IAM policy states service account SA has permission P
 to the Google Cloud folder F, then user A potentially has access to the
 Google Cloud folder F. And those advanced analysis results will be
 included in
 [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].

 Only the following permissions are considered in this analysis:

 * `iam.serviceAccounts.actAs`
 * `iam.serviceAccounts.signBlob`
 * `iam.serviceAccounts.signJwt`
 * `iam.serviceAccounts.getAccessToken`
 * `iam.serviceAccounts.getOpenIdToken`
 * `iam.serviceAccounts.implicitDelegation`

 Default is false.
        bool analyze_service_account_impersonation = 6 [(.google.api.field_behavior) = OPTIONAL];
        Parameters:
        value - The analyzeServiceAccountImpersonation to set.
        Returns:
        This builder for chaining.

      • clearAnalyzeServiceAccountImpersonation

        public IamPolicyAnalysisQuery.Options.Builder clearAnalyzeServiceAccountImpersonation()
         Optional. If true, the response will include access analysis from
 identities to resources via service account impersonation. This is a very
 expensive operation, because many derived queries will be executed. We
 highly recommend you use
 [AssetService.AnalyzeIamPolicyLongrunning][google.cloud.asset.v1.AssetService.AnalyzeIamPolicyLongrunning]
 RPC instead.

 For example, if the request analyzes for which resources user A has
 permission P, and there's an IAM policy states user A has
 iam.serviceAccounts.getAccessToken permission to a service account SA,
 and there's another IAM policy states service account SA has permission P
 to a Google Cloud folder F, then user A potentially has access to the
 Google Cloud folder F. And those advanced analysis results will be
 included in
 [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].

 Another example, if the request analyzes for who has
 permission P to a Google Cloud folder F, and there's an IAM policy states
 user A has iam.serviceAccounts.actAs permission to a service account SA,
 and there's another IAM policy states service account SA has permission P
 to the Google Cloud folder F, then user A potentially has access to the
 Google Cloud folder F. And those advanced analysis results will be
 included in
 [AnalyzeIamPolicyResponse.service_account_impersonation_analysis][google.cloud.asset.v1.AnalyzeIamPolicyResponse.service_account_impersonation_analysis].

 Only the following permissions are considered in this analysis:

 * `iam.serviceAccounts.actAs`
 * `iam.serviceAccounts.signBlob`
 * `iam.serviceAccounts.signJwt`
 * `iam.serviceAccounts.getAccessToken`
 * `iam.serviceAccounts.getOpenIdToken`
 * `iam.serviceAccounts.implicitDelegation`

 Default is false.
        bool analyze_service_account_impersonation = 6 [(.google.api.field_behavior) = OPTIONAL];
        Returns:
        This builder for chaining.