rSrSSKJr SSKJr SSKJr SSKJr Sr "SS\R5r "S S \R5r "S S \R5r "S S\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS \R5r"S!S"\R5r"S#S$\R5r"S%S&\R5r"S'S(\R5r"S)S*\R5r"S+S,\R5r"S-S.\R5r"S/S0\R5r"S1S2\R5r "S3S4\R5r!"S5S6\R5r""S7S8\R5r#"S9S:\R5r$"S;S<\R5r%"S=S>\R5r&"S?S@\R5r'"SASB\R5r("SCSD\R5r)"SESF\R5r*"SGSH\R5r+"SISJ\R5r,"SKSL\R5r-"SMSN\R5r."SOSP\R5r/"SQSR\R5r0"SSST\R5r1"SUSV\R5r2"SWSX\R5r3"SYSZ\R5r4"S[S\\R5r5"S]S^\R5r6"S_S`\R5r7"SaSb\R5r8"ScSd\R5r9"SeSf\R5r:"SgSh\R5r;"SiSj\R5r<"SkSl\R5r="SmSn\R5r>"SoSp\R5r?"SqSr\R5r@"SsSt\R5rA"SuSv\R5rB"SwSx\R5rC"SySz\R5rD"S{S|\R5rE"S}S~\R5rF"SS\R5rG"SS\R5rH"SS\R5rI"SS\R5rJ"SS\R5rK"SS\R5rL"SS\R5rM"SS\R5rN"SS\R5rO"SS\R5rP"SS\R5rQ"SS\R5rR"SS\R5rS"SS\R5rT"SS\R5rU"SS\R5rV"SS\R5rW"SS\R5rX"SS\R5rY"SS\R5rZ"SS\R5r["SS\R5r\"SS\R5r]"SS\R5r^"SS\R5r_"SS\R5r`"SS\R5ra"SS\R5rb"SS\R5rc"SS\R5rd"SS\R5re"SS\R5rf"SS\R5rg"SS\R5rh"SS\R5ri"SS\R5rj"SS\R5rk"SS\R5rl"SS\R5rm"SS\R5rn"SS\R5ro"SS\R5rp"SS\R5rq"SS\R5rr"SS\R5rs"SS\R5rt"SS\R5ru"SS\R5rv"SS\R5rw"SS\R5rx"SS\R5ry"SS\R5rz"SS\R5r{"SS\R5r|"SS\R5r}"SS\R5r~"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SS\R5r"SGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GS GS \R5r"GS GS \R5r"GS GS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r"GSGS\R5r\GR&"\GSGS5 \GR("\GR*GSGS5 \GR("\GR*GSGS5 Gg(aGenerated message classes for privilegedaccessmanager version v1alpha. Privileged Access Manager (PAM) helps you to follow least privilege best practice to mitigate risks tied to privileged access misuse and abuse. You can shift from always-on standing privileges to on-demand access using time-bound and approval-based access elevations. IAM administrators specifically can use PAM to create entitlements that can grant temporary access to a specific resource scope. Requesters can explore eligible entitlements and request the access needed for their task, and approvers are notified when approvals require their attention. Streamlined workflows facilitated using PAM support several use cases, including the following: * Emergency access for incident responders * Time-boxed access for developers for critical deployment or maintenance * Temporary access for operators for data ingestion and audits * Temporary access to service accounts for automated tasks )absolute_import)messages)encoding) extra_typesprivilegedaccessmanagerc:\rSrSrSr\R "SSS9rSrg)AccessControlEntrya6`AccessControlEntry` is used to control who can do some operation. Fields: principals: Optional. Users who are allowed for the operation. Each entry should be a valid v1 IAM principal identifier. The format for these is documented at: https://cloud.google.com/iam/docs/principal- identifiers#v1 TrepeatedN) __name__ __module__ __qualname____firstlineno____doc__ _messages StringField principals__static_attributes__rulib/googlecloudsdk/generated_clients/apis/privilegedaccessmanager/v1alpha/privilegedaccessmanager_v1alpha_messages.pyr r s$$Q6*rr c\rSrSrSrSrg) Activated)z@An event representing that the grant was successfully activated.rNrrrrrrrrrrr)Irrc>\rSrSrSr\R "SS5rSrg)ActivationFailed-zAn event representing that the grant activation failed. Fields: error: Output only. The error that occurred while activating the grant. Statusr rN) rrrrrr MessageFielderrorrrrrr r -s  1 -%rr c\\rSrSrSr\R "SSS9r\R "SSS9rSr g) AdditionalNotificationTargets7aC`AdditionalNotificationTargets` includes email addresses to be notified. Fields: adminEmailRecipients: Optional. Additional email addresses to be notified when a principal (requester) is granted access. requesterEmailRecipients: Optional. Additional email address to be notified about an eligible entitlement. r Tr rN) rrrrrrradminEmailRecipientsrequesterEmailRecipientsrrrrr&r&7s/#..q4@&221tDrr&c>\rSrSrSr\R "SS5rSrg)ApprovalWorkflowEzDifferent types of approval workflows that can be used to gate privileged access granting. Fields: manualApprovals: An approval workflow where users designated as approvers review and act on the grants. ManualApprovalsr rN) rrrrrrr#manualApprovalsrrrrr,r,E**+B$$Q'*(()=q4P-   q !$ ,,Q/   q !$++,>B!*!7!78VXY!Z   4b 9%$$R(*rrSc\rSrSrSr\R "SS5r\R "SS5r\R "SS5r \R "S S 5r \R "S S 5r \R"S 5r \R "SS5r\R "SS5r\R "SS5r\R "SS5r\R "SS5r\R "SS5rSrg)Eventa1A single operation on the grant. Fields: activated: The grant was successfully activated to give access. activationFailed: There was a non-retriable error while trying to give access. approved: The grant was approved. denied: The grant was denied. ended: Access given by the grant ended automatically as the approved duration was over. eventTime: Output only. The time (as recorded at server) when this event occurred. expired: The approval workflow did not complete in the necessary duration, and so the grant is expired. externallyModified: The policy bindings made by grant have been modified outside of PAM. requested: The grant was requested. revoked: The grant was revoked. scheduled: The grant has been scheduled to give access. withdrawn: The grant was withdrawn. rr r r(r8r:rJrXrPrYraExpiredrbExternallyModifiedrd RequestedrfRevokedrg Scheduledrh Withdrawn rN)rrrrrrr# activatedactivationFailedapproveddeniedendedr eventTimeexpiredexternallyModified requestedrevoked scheduled withdrawnrrrrrwrws,$$[!4)++,>B  # #J 2(  ! !(A .&  ! ,%##A&)  " "9a 0' --.BAF$$[!4)  " "9b 1'$$["5)$$["5)rrwc\rSrSrSrSrg)ryiz1An event representing that the grant was expired.rNrrrrryrys:rryc\rSrSrSrSrg)rziz\An event representing that the policy bindings made by this grant were modified externally. rNrrrrrzrzrrzc\rSrSrSr\R "SS5r\R"S5r \R "SS5r Sr g ) FetchEffectiveSettingsResponsei!aThe effective value of the settings at the given location resource, evaluated based on the crm resource hierarchy. Fields: emailNotificationSettings: Output only. `EmailNotificationSettings` defines effective node-wide email notification preferences for various PAM events. parent: Output only. The resource on which the settings are effective. Possible formats: * `projects/{project-number|project- id}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `organizations/{organization-number}/locations/{region}` serviceAccountApproverSettings: Output only. Effective settings for allowing service account as approvers. 7FetchEffectiveSettingsResponseEmailNotificationSettingsr r(\rSrSrSr\R "SS5rSrg)rFizFinding represents an issue which prevents PAM from functioning properly for this resource. Fields: iamAccessDenied: PAM's service account is being denied access by Cloud IAM. IAMAccessDeniedr rN) rrrrrrr#iamAccessDeniedrrrrrFrFr0rrFc\rSrSrSr\R "S5r\R "S5r\R"SSSS9r S r g ) GcpIamAccessiaT`GcpIamAccess` represents IAM based access control on a Google Cloud resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Fields: resource: Required. Name of the resource. resourceType: Required. The type of this resource. roleBindings: Required. Role bindings that are created on successful grant. r r( RoleBindingr:Tr rN rrrrrrrresource resourceTyper# roleBindingsrrrrrrs=  " "1 %(&&q),'' q4H,rrc\rSrSrSrSrg)GoogleProtobufEmptyiaA generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } rNrrrrrrsrrc\rSrSrSr"SS\R 5r\R"SSS9r \R"SS 5r \R"S 5r \R"S 5r\R"S S 5r\R"S5r\R"SS5r\R"S5r\R"SSSS9r\R"S5r\R*"SS5r\R"SS5r\R"S5rSrg)GrantiaA grant represents a request from a user for obtaining the access specified in an entitlement they are eligible for. Enums: StateValueValuesEnum: Output only. Current state of this grant. Fields: additionalEmailRecipients: Optional. Additional email addresses to notify for all the actions performed on the grant. auditTrail: Output only. Audit trail of access provided by this grant. If unspecified then access was never granted. createTime: Output only. Create time stamp. externallyModified: Output only. Flag set by the PAM system to indicate that policy bindings made by this grant have been modified from outside PAM. After it is set, this flag remains set forever irrespective of the grant state. A `true` value here indicates that PAM no longer has any certainty on the access a user has because of this grant. justification: Optional. Justification of why this access is needed. name: Identifier. Name of this grant. Possible formats: * `organizations/{organization- number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant- id}` * `folders/{folder- number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant- id}` * `projects/{project-id|project- number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant- id}` The last segment of this name (`{grant-id}`) is autogenerated. privilegedAccess: Output only. The access that would be granted by this grant. requestedDuration: Required. The amount of time access is needed for. This value should be less than the `max_request_duration` value of the entitlement. requestedPrivilegedAccess: Optional. The accesses requested to be granted by this grant. requester: Output only. Username of the user who created this grant. state: Output only. Current state of this grant. timeline: Output only. Timeline of this grant. updateTime: Output only. Update time stamp. cL\rSrSrSrSrSrSrSrSr Sr S r S r S r S rS rSrSrSrg)Grant.StateValueValuesEnumiaOutput only. Current state of this grant. Values: STATE_UNSPECIFIED: Unspecified state. This value is never returned by the server. APPROVAL_AWAITED: The entitlement had an approval workflow configured and this grant is waiting for the workflow to complete. DENIED: The approval workflow completed with a denied result. No access is granted for this grant. This is a terminal state. SCHEDULED: The approval workflow completed successfully with an approved result or none was configured. Access is provided at an appropriate time. ACTIVATING: Access is being given. ACTIVE: Access was successfully given and is currently active. ACTIVATION_FAILED: The system could not give access due to a non- retriable error. This is a terminal state. EXPIRED: Expired after waiting for the approval workflow to complete. This is a terminal state. REVOKING: Access is being revoked. REVOKED: Access was revoked by a user. This is a terminal state. ENDED: System took back access as the requested duration was over. This is a terminal state. WITHDRAWING: Access is being withdrawn. WITHDRAWN: Grant was withdrawn by the grant owner. This is a terminal state. rr r(r:rXrYrarbrdrfrgrhrrN)rrrrrrZAPPROVAL_AWAITEDDENIED SCHEDULED ACTIVATINGACTIVEACTIVATION_FAILEDEXPIREDREVOKINGREVOKEDENDED WITHDRAWING WITHDRAWNrrrrr`rsM4 FIJ FGHG EKIrr`r Tr r?r(r:rX JustificationrYrarcrbrdRequestedPrivilegedAccessrfrgrhTimeliner rN)rrrrrrrir`radditionalEmailRecipientsr# auditTrailrlrr justificationrprqrequestedDurationrequestedPrivilegedAccess requesterrsrttimelinerurrrrrrs%N'Y^^'R(33AE%%lA6*$$Q'* --a0((!<-   q !$++,>B++A.'445PRS^bc##B')   4b 9%  # #J 3($$R(*rrc:\rSrSrSr\R "SSS9rSrg)ri.a+PAM's service account is being denied access by Cloud IAM. This can be fixed by granting a role that contains the missing permissions to the service account or exempting it from deny policies if they are blocking the access. Fields: missingPermissions: List of permissions that are being denied. r Tr rN) rrrrrrrmissingPermissionsrrrrrr.s!,,Q>rrc<\rSrSrSr\R "S5rSrg)ri;zJustification represents a justification for requesting access. Fields: unstructuredJustification: A free form textual justification. The system only ensures that this is not empty. No other kind of validation is performed on the string. r rN) rrrrrrrunstructuredJustificationrrrrrr;s(33A6rrc\rSrSrSr\R "SSSS9r\R"S5r \R"SSS9r S r g ) ListEntitlementsResponseiGzMessage for response to listing entitlements. Fields: entitlements: The list of entitlements. nextPageToken: A token identifying a page of results the server should return. unreachable: Locations that could not be reached. rSr Tr r(r:rN) rrrrrrr# entitlementsr nextPageToken unreachablerrrrrrGs?'' q4H,''*-%%a$7+rrc\rSrSrSr\R "SSSS9r\R"S5r \R"SSS9r S r g ) ListGrantsResponseiVzMessage for response to listing grants. Fields: grants: The list of grants. nextPageToken: A token identifying a page of results the server should return. unreachable: Locations that could not be reached. rr Tr r(r:rN) rrrrrrr#grantsrrrrrrrrrVs?  ! !'1t <&''*-%%a$7+rrc`\rSrSrSr\R "SSSS9r\R"S5r Sr g ) ListLocationsResponseiezThe response message for Locations.ListLocations. Fields: locations: A list of locations that matches the specified filter in the request. nextPageToken: The standard List next-page token. Locationr Tr r(rN) rrrrrrr# locationsrrrrrrrres-$$ZTB)''*-rrc\rSrSrSr\R "S5r\R"SSSS9r \R "SSS9r S r g ) ListOperationsResponseiraThe response message for Operations.ListOperations. Fields: nextPageToken: The standard List next-page token. operations: A list of operations that matches the specified filter in the request. unreachable: Unordered list. Unreachable resources. Populated when the request sets `ListOperationsRequest.return_partial_success` and reads across collections e.g. when attempting to list all resources across all supported locations. r Operationr(Tr r:rN) rrrrrrrrr# operationsrrrrrrrrs? ''*-%%k1tD*%%a$7+rrcx\rSrSrSr\R "S5"SS\R55r \R "S5"SS\R55r \R"S5r \R"SS 5r\R"S 5r\R"SS 5r\R"S 5rS rg)riaMA resource that represents a Google Cloud location. Messages: LabelsValue: Cross-service attributes for the location. For example {"cloud.googleapis.com/region": "us-east1"} MetadataValue: Service-specific metadata. For example the available capacity at the given location. Fields: displayName: The friendly name for this location, typically a nearby city name. For example, "Tokyo". labels: Cross-service attributes for the location. For example {"cloud.googleapis.com/region": "us-east1"} locationId: The canonical id for this location. For example: `"us-east1"`. metadata: Service-specific metadata. For example the available capacity at the given location. name: Resource name for the location, which may vary between implementations. For example: `"projects/example-project/locations/us- east1"` additionalPropertiescf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) Location.LabelsValueiaCross-service attributes for the location. For example {"cloud.googleapis.com/region": "us-east1"} Messages: AdditionalProperty: An additional property for a LabelsValue object. Fields: additionalProperties: Additional properties of type LabelsValue c`\rSrSrSr\R "S5r\R "S5rSr g)'Location.LabelsValue.AdditionalPropertyizAn additional property for a LabelsValue object. Fields: key: Name of the additional property. value: A string attribute. r r(rN) rrrrrrrkeyvaluerrrrAdditionalPropertyrs)   ! !! $c##A&errr Tr rN rrrrrrMessagerr#rrrrr LabelsValuers2 'Y.. '%112FTXYrrcf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) Location.MetadataValueia Service-specific metadata. For example the available capacity at the given location. Messages: AdditionalProperty: An additional property for a MetadataValue object. Fields: additionalProperties: Properties of the object. Contains field @type with type URL. cb\rSrSrSr\R "S5r\R"SS5r Sr g))Location.MetadataValue.AdditionalPropertyiAn additional property for a MetadataValue object. Fields: key: Name of the additional property. value: A extra_types.JsonValue attribute. r extra_types.JsonValuer(rN rrrrrrrrr#rrrrrrr,   ! !! $c$$%\rSrSrSr\R "SS5rSrg)rcizzPrivileged access that this service can be used to gate. Fields: gcpIamAccess: Access to a Google Cloud resource through IAM. rr rN rrrrrrr# gcpIamAccessrrrrrcrczs '':,rrcc:\rSrSrSr\R "SSS9rSrg)CPrivilegedaccessmanagerFoldersLocationsCheckOnboardingStatusRequestiaA PrivilegedaccessmanagerFoldersLocationsCheckOnboardingStatusRequest object. Fields: parent: Required. The resource for which the onboarding status should be checked. Should be in one of the following formats: * `projects/{project-number|project-id}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `organizations/{organization-number}/locations/{region}` r TrequiredrN rrrrrrrrrrrrr)r)   T 2&rr)c\rSrSrSr\R "SS5r\R"S5r \R"SSS9r \R"S 5r S r g ) @PrivilegedaccessmanagerFoldersLocationsEntitlementsCreateRequestia`A PrivilegedaccessmanagerFoldersLocationsEntitlementsCreateRequest object. Fields: entitlement: A Entitlement resource to be passed as the request body. entitlementId: Required. The ID to use for this entitlement. This becomes the last part of the resource name. This value should be 4-63 characters in length, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other entitlements under the specified `parent`. parent: Required. Name of the parent resource for the entitlement. Possible formats: * `organizations/{organization- number}/locations/{region}` * `folders/{folder- number}/locations/{region}` * `projects/{project-id|project- number}/locations/{region}` requestId: Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request and returns the previous operation's response. This prevents clients from accidentally creating duplicate entitlements. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). rSr r(r:Tr*rXrN rrrrrrr# entitlementr entitlementIdr requestIdrrrrr/r/M:&&}a8+''*-  T 2&##A&)rr/c\rSrSrSr\R "S5r\R"SSS9r \R"S5r Sr g ) @PrivilegedaccessmanagerFoldersLocationsEntitlementsDeleteRequestiaA PrivilegedaccessmanagerFoldersLocationsEntitlementsDeleteRequest object. Fields: force: Optional. If set to true, any child grant under this entitlement is also deleted. (Otherwise, the request only works if the entitlement has no child grant.) name: Required. Name of the resource. requestId: Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). r r(Tr*r:rN rrrrrrrforcerrpr3rrrrr6r6;(   #%   q4 0$##A&)rr6c:\rSrSrSr\R "SSS9rSrg)=PrivilegedaccessmanagerFoldersLocationsEntitlementsGetRequestizyA PrivilegedaccessmanagerFoldersLocationsEntitlementsGetRequest object. Fields: name: Required. Name of the resource. r Tr*rN rrrrrrrrprrrrr;r;   q4 0$rr;c`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) GPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsApproveRequestizA PrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsApproveRequest object. Fields: approveGrantRequest: A ApproveGrantRequest resource to be passed as the request body. name: Required. Name of the grant resource which is being approved. r2r r(Tr*rN rrrrrrr#approveGrantRequestrrprrrrr?r?/"../DaH   q4 0$rr?c\rSrSrSr\R "SS5r\R"SSS9r \R"S5r S r g ) FPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsCreateRequestia A PrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsCreateRequest object. Fields: grant: A Grant resource to be passed as the request body. parent: Required. Name of the parent entitlement for which this grant is being requested. requestId: Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. This prevents clients from accidentally creating duplicate grants. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). rr r(Tr*r:rN rrrrrrr#grantrrr3rrrrrDrDs=(  ! ,%  T 2&##A&)rrDc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) DPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsDenyRequestizA PrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsDenyRequest object. Fields: denyGrantRequest: A DenyGrantRequest resource to be passed as the request body. name: Required. Name of the grant resource which is being denied. rMr r(Tr*rN rrrrrrr#denyGrantRequestrrprrrrrHrH/++,>B   q4 0$rrHc:\rSrSrSr\R "SSS9rSrg)CPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsGetRequestizA PrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsGetRequest object. Fields: name: Required. Name of the resource. r Tr*rNr<rrrrMrM   q4 0$rrMc\rSrSrSr\R "S5r\R "S5r\R"S\RRS9r \R "S5r \R "SS S 9rS rg ) DPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsListRequestiaA PrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsListRequest object. Fields: filter: Optional. Filtering results. orderBy: Optional. Hint for how to order the results pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent resource which owns the grants. r r(r:variantrXrYTr*rNrrrrrrrfilterorderBy IntegerFieldVariantINT32pageSize pageTokenrrrrrrPrPi    #&  ! !! $'  # #Ay/@/@/F/F G(##A&)  T 2&rrPc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) FPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsRevokeRequesti2zA PrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsRevokeRequest object. Fields: name: Required. Name of the grant resource which is being revoked. revokeGrantRequest: A RevokeGrantRequest resource to be passed as the request body. r Tr*RevokeGrantRequestr(rN rrrrrrrrpr#revokeGrantRequestrrrrr]r]2s/   q4 0$ --.BAFrr]c\rSrSrSr"SS\R 5r\R"SS5r \R"S5r \R"S\RRS9r\R"S 5r\R"S S S 9rS rg)FPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsSearchRequesti@aA PrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsSearchRequest object. Enums: CallerRelationshipValueValuesEnum: Required. Only grants which the caller is related to by this relationship are returned in the response. Fields: callerRelationship: Required. Only grants which the caller is related to by this relationship are returned in the response. filter: Optional. Only grants matching this filter are returned in the response. pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the grant resources. c(\rSrSrSrSrSrSrSrSr g) hPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsSearchRequest.CallerRelationshipValueValuesEnumiTRequired. Only grants which the caller is related to by this relationship are returned in the response. Values: CALLER_RELATIONSHIP_TYPE_UNSPECIFIED: Unspecified caller relationship type. HAD_CREATED: The user created this grant by calling `CreateGrant` earlier. CAN_APPROVE: The user is an approver for the entitlement that this grant is parented under and can currently approve/deny it. HAD_APPROVED: The caller had successfully approved/denied this grant earlier. rr r(r:rN rrrrr$CALLER_RELATIONSHIP_TYPE_UNSPECIFIED HAD_CREATED CAN_APPROVE HAD_APPROVEDrrrr!CallerRelationshipValueValuesEnumrdT ,-(KKLrrkr r(r:rQrXrYTr*rNrrrrrrrirkrscallerRelationshiprrTrVrWrXrYrZrrrrrrbrb@s~&)..&!**+NPQR   #&  # #Ay/@/@/F/F G(##A&)  T 2&rrbc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) HPrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsWithdrawRequestinaA PrivilegedaccessmanagerFoldersLocationsEntitlementsGrantsWithdrawRequest object. Fields: name: Required. Name of the grant resource which is being withdrawn. withdrawGrantRequest: A WithdrawGrantRequest resource to be passed as the request body. r Tr*WithdrawGrantRequestr(rN rrrrrrrrpr#withdrawGrantRequestrrrrrprpn/   q4 0$"//0FJrrpc\rSrSrSr\R "S5r\R "S5r\R"S\RRS9r \R "S5r \R "SS S 9rS rg ) >PrivilegedaccessmanagerFoldersLocationsEntitlementsListRequesti}aA PrivilegedaccessmanagerFoldersLocationsEntitlementsListRequest object. Fields: filter: Optional. Filtering results. orderBy: Optional. Hint for how to order the results. pageSize: Optional. Requested page size. Server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the entitlement resources. r r(r:rQrXrYTr*rNrSrrrrvrv}si    #&  ! !! $'  # #Ay/@/@/F/F G(##A&)  T 2&rrvc\rSrSrSr\R "SS5r\R"SSS9r \R"S5r S r g ) ?PrivilegedaccessmanagerFoldersLocationsEntitlementsPatchRequestiaA PrivilegedaccessmanagerFoldersLocationsEntitlementsPatchRequest object. Fields: entitlement: A Entitlement resource to be passed as the request body. name: Identifier. Name of the entitlement. Possible formats: * `organizations/{organization- number}/locations/{region}/entitlements/{entitlement-id}` * `folders/{folder-number}/locations/{region}/entitlements/{entitlement- id}` * `projects/{project-id|project- number}/locations/{region}/entitlements/{entitlement-id}` updateMask: Required. The list of fields to update. A field is overwritten if, and only if, it is in the mask. Any immutable fields set in the mask are ignored by the server. Repeated fields and map fields are only allowed in the last position of a `paths` string and overwrite the existing values. Hence an update to a repeated field or a map should contain the entire list of values. The fields specified in the update_mask are relative to the resource and not to the request. (e.g. `MaxRequestDuration`; *not* `entitlement.MaxRequestDuration`) A value of '*' for this field refers to full replacement of the resource. rSr r(Tr*r:rN rrrrrrr#r1rrp updateMaskrrrrrxrx=,&&}a8+   q4 0$$$Q'*rrxc\rSrSrSr"SS\R 5r\R"SS5r \R"S5r \R"S\RRS9r\R"S 5r\R"S S S 9rS rg)@PrivilegedaccessmanagerFoldersLocationsEntitlementsSearchRequestiaA PrivilegedaccessmanagerFoldersLocationsEntitlementsSearchRequest object. Enums: CallerAccessTypeValueValuesEnum: Required. Only entitlements where the calling user has this access are returned. Fields: callerAccessType: Required. Only entitlements where the calling user has this access are returned. filter: Optional. Only entitlements matching this filter are returned in the response. pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the entitlement resources. c$\rSrSrSrSrSrSrSrg)`PrivilegedaccessmanagerFoldersLocationsEntitlementsSearchRequest.CallerAccessTypeValueValuesEnumiJRequired. Only entitlements where the calling user has this access are returned. Values: CALLER_ACCESS_TYPE_UNSPECIFIED: Unspecified access type. GRANT_REQUESTER: The user has access to create grants using this entitlement. GRANT_APPROVER: The user has access to approve/deny grants created under this entitlement. rr r(rN rrrrrCALLER_ACCESS_TYPE_UNSPECIFIEDGRANT_REQUESTERGRANT_APPROVERrrrrCallerAccessTypeValueValuesEnumr &'"ONrrr r(r:rQrXrYTr*rNrrrrrrrirrscallerAccessTyperrTrVrWrXrYrZrrrrrr}r}}&   (()JAN   #&  # #Ay/@/@/F/F G(##A&)  T 2&rr}c:\rSrSrSr\R "SSS9rSrg)DPrivilegedaccessmanagerFoldersLocationsFetchEffectiveSettingsRequestiaA PrivilegedaccessmanagerFoldersLocationsFetchEffectiveSettingsRequest object. Fields: parent: Required. The resource for which the effective settings should be fetched. Should be in one of the following formats: * `projects/{project-number|project-id}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `organizations/{organization-number}/locations/{region}` r Tr*rNr,rrrrrr-rrc:\rSrSrSr\R "SSS9rSrg)1PrivilegedaccessmanagerFoldersLocationsGetRequestizmA PrivilegedaccessmanagerFoldersLocationsGetRequest object. Fields: name: Resource name for the location. r Tr*rNr<rrrrrr=rrc:\rSrSrSr\R "SSS9rSrg)9PrivilegedaccessmanagerFoldersLocationsGetSettingsRequestizA PrivilegedaccessmanagerFoldersLocationsGetSettingsRequest object. Fields: name: Required. The name of the settings resource to be fetched. r Tr*rNr<rrrrrr=rrc\rSrSrSr\R "SSS9r\R "S5r\R "SSS9r \R"S \RRS 9r \R "S 5rS rg )2PrivilegedaccessmanagerFoldersLocationsListRequestiaA PrivilegedaccessmanagerFoldersLocationsListRequest object. Fields: extraLocationTypes: Optional. Do not use this field. It is unsupported and is ignored unless explicitly documented otherwise. This is primarily for internal usage. filter: A filter to narrow down results to a preferred subset. The filtering language accepts strings like `"displayName=tokyo"`, and is documented in more detail in [AIP-160](https://google.aip.dev/160). name: The resource that owns the locations collection, if applicable. pageSize: The maximum number of results to return. If not set, the service selects a default. pageToken: A page token received from the `next_page_token` field in the response. Send that page token to receive the subsequent page. r Tr r(r:r*rXrQrYrNrrrrrrrextraLocationTypesrTrprVrWrXrYrZrrrrrrl !,,Q>   #&   q4 0$  # #Ay/@/@/F/F G(##A&)rrc:\rSrSrSr\R "SSS9rSrg)>PrivilegedaccessmanagerFoldersLocationsOperationsDeleteRequestizA PrivilegedaccessmanagerFoldersLocationsOperationsDeleteRequest object. Fields: name: The name of the operation resource to be deleted. r Tr*rNr<rrrrrr=rrc:\rSrSrSr\R "SSS9rSrg);PrivilegedaccessmanagerFoldersLocationsOperationsGetRequestiz{A PrivilegedaccessmanagerFoldersLocationsOperationsGetRequest object. Fields: name: The name of the operation resource. r Tr*rNr<rrrrrr=rrc\rSrSrSr\R "S5r\R "SSS9r\R"S\RRS9r \R "S 5r \R"S 5rS rg ) aA PrivilegedaccessmanagerFoldersLocationsUpdateSettingsRequest object. Fields: name: Identifier. Name of the settings resource. Possible formats: projects/{project-id|project-number}/locations/{location}/settings folders/{folder-number}/locations/{location}/settings organizations/{organization-number}/locations/{location}/settings settings: A Settings resource to be passed as the request body. updateMask: Required. The list of fields to update. A field is overwritten if, and only if, it is in the mask. Any immutable fields set in the mask are ignored by the server. Repeated fields and map fields are only allowed in the last position of a `paths` string and overwrite the existing values. Hence an update to a repeated field or a map should contain the entire list of values. The fields specified in the update_mask are relative to the resource and not to the request. A value of '*' for this field refers to full replacement of the resource. r Tr*Settingsr(r:rN rrrrrrrrpr#settingsrzrrrrrr>=$   q4 0$  # #J 2($$Q'*rrc:\rSrSrSr\R "SSS9rSrg)IPrivilegedaccessmanagerOrganizationsLocationsCheckOnboardingStatusRequestiVaA PrivilegedaccessmanagerOrganizationsLocationsCheckOnboardingStatusRequest object. Fields: parent: Required. The resource for which the onboarding status should be checked. Should be in one of the following formats: * `projects/{project-number|project-id}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `organizations/{organization-number}/locations/{region}` r Tr*rNr,rrrrrV   T 2&rrc\rSrSrSr\R "SS5r\R"S5r \R"SSS9r \R"S 5r S r g ) FPrivilegedaccessmanagerOrganizationsLocationsEntitlementsCreateRequestifafA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsCreateRequest object. Fields: entitlement: A Entitlement resource to be passed as the request body. entitlementId: Required. The ID to use for this entitlement. This becomes the last part of the resource name. This value should be 4-63 characters in length, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other entitlements under the specified `parent`. parent: Required. Name of the parent resource for the entitlement. Possible formats: * `organizations/{organization- number}/locations/{region}` * `folders/{folder- number}/locations/{region}` * `projects/{project-id|project- number}/locations/{region}` requestId: Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request and returns the previous operation's response. This prevents clients from accidentally creating duplicate entitlements. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). rSr r(r:Tr*rXrNr0rrrrrfr4rrc\rSrSrSr\R "S5r\R"SSS9r \R"S5r Sr g ) FPrivilegedaccessmanagerOrganizationsLocationsEntitlementsDeleteRequestiaA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsDeleteRequest object. Fields: force: Optional. If set to true, any child grant under this entitlement is also deleted. (Otherwise, the request only works if the entitlement has no child grant.) name: Required. Name of the resource. requestId: Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). r r(Tr*r:rNr7rrrrrr9rrc:\rSrSrSr\R "SSS9rSrg)CPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGetRequestizA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsGetRequest object. Fields: name: Required. Name of the resource. r Tr*rNr<rrrrrrNrrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) MPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsApproveRequestiaA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsApprove Request object. Fields: approveGrantRequest: A ApproveGrantRequest resource to be passed as the request body. name: Required. Name of the grant resource which is being approved. r2r r(Tr*rNr@rrrrrs/"../DaH   q4 0$rrc\rSrSrSr\R "SS5r\R"SSS9r \R"S5r S r g ) LPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsCreateRequestiaA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsCreateRequest object. Fields: grant: A Grant resource to be passed as the request body. parent: Required. Name of the parent entitlement for which this grant is being requested. requestId: Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. This prevents clients from accidentally creating duplicate grants. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). rr r(Tr*r:rNrErrrrr=*  ! ,%  T 2&##A&)rrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) JPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsDenyRequestizA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsDenyRequest object. Fields: denyGrantRequest: A DenyGrantRequest resource to be passed as the request body. name: Required. Name of the grant resource which is being denied. rMr r(Tr*rNrIrrrrrs/++,>B   q4 0$rrc:\rSrSrSr\R "SSS9rSrg)IPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsGetRequestizA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsGetRequest object. Fields: name: Required. Name of the resource. r Tr*rNr<rrrrrs   q4 0$rrc\rSrSrSr\R "S5r\R "S5r\R"S\RRS9r \R "S5r \R "SS S 9rS rg ) JPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsListRequestiaA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsListRequest object. Fields: filter: Optional. Filtering results. orderBy: Optional. Hint for how to order the results pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent resource which owns the grants. r r(r:rQrXrYTr*rNrSrrrrrsi    #&  ! !! $'  # #Ay/@/@/F/F G(##A&)  T 2&rrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) LPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsRevokeRequesti zA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsRevokeRequest object. Fields: name: Required. Name of the grant resource which is being revoked. revokeGrantRequest: A RevokeGrantRequest resource to be passed as the request body. r Tr*r^r(rNr_rrrrr /   q4 0$ --.BAFrrc\rSrSrSr"SS\R 5r\R"SS5r \R"S5r \R"S\RRS9r\R"S 5r\R"S S S 9rS rg)LPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsSearchRequestiaA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsSearchRequest object. Enums: CallerRelationshipValueValuesEnum: Required. Only grants which the caller is related to by this relationship are returned in the response. Fields: callerRelationship: Required. Only grants which the caller is related to by this relationship are returned in the response. filter: Optional. Only grants matching this filter are returned in the response. pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the grant resources. c(\rSrSrSrSrSrSrSrSr g) nPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsSearchRequest.CallerRelationshipValueValuesEnumi-rerr r(r:rNrfrrrrkr-rlrrkr r(r:rQrXrYTr*rNrmrrrrr~()..&!**+NPQR   #&  # #Ay/@/@/F/F G(##A&)  T 2&rrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) NPrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsWithdrawRequestiGaA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsGrantsWithdra wRequest object. Fields: name: Required. Name of the grant resource which is being withdrawn. withdrawGrantRequest: A WithdrawGrantRequest resource to be passed as the request body. r Tr*rqr(rNrrrrrrrGs/   q4 0$"//0FJrrc\rSrSrSr\R "S5r\R "S5r\R"S\RRS9r \R "S5r \R "SS S 9rS rg ) DPrivilegedaccessmanagerOrganizationsLocationsEntitlementsListRequestiUaA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsListRequest object. Fields: filter: Optional. Filtering results. orderBy: Optional. Hint for how to order the results. pageSize: Optional. Requested page size. Server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the entitlement resources. r r(r:rQrXrYTr*rNrSrrrrrUr[rrc\rSrSrSr\R "SS5r\R"SSS9r \R"S5r S r g ) EPrivilegedaccessmanagerOrganizationsLocationsEntitlementsPatchRequestijaA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsPatchRequest object. Fields: entitlement: A Entitlement resource to be passed as the request body. name: Identifier. Name of the entitlement. Possible formats: * `organizations/{organization- number}/locations/{region}/entitlements/{entitlement-id}` * `folders/{folder-number}/locations/{region}/entitlements/{entitlement- id}` * `projects/{project-id|project- number}/locations/{region}/entitlements/{entitlement-id}` updateMask: Required. The list of fields to update. A field is overwritten if, and only if, it is in the mask. Any immutable fields set in the mask are ignored by the server. Repeated fields and map fields are only allowed in the last position of a `paths` string and overwrite the existing values. Hence an update to a repeated field or a map should contain the entire list of values. The fields specified in the update_mask are relative to the resource and not to the request. (e.g. `MaxRequestDuration`; *not* `entitlement.MaxRequestDuration`) A value of '*' for this field refers to full replacement of the resource. rSr r(Tr*r:rNryrrrrrjr{rrc\rSrSrSr"SS\R 5r\R"SS5r \R"S5r \R"S\RRS9r\R"S 5r\R"S S S 9rS rg)FPrivilegedaccessmanagerOrganizationsLocationsEntitlementsSearchRequestiaA PrivilegedaccessmanagerOrganizationsLocationsEntitlementsSearchRequest object. Enums: CallerAccessTypeValueValuesEnum: Required. Only entitlements where the calling user has this access are returned. Fields: callerAccessType: Required. Only entitlements where the calling user has this access are returned. filter: Optional. Only entitlements matching this filter are returned in the response. pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the entitlement resources. c$\rSrSrSrSrSrSrSrg)fPrivilegedaccessmanagerOrganizationsLocationsEntitlementsSearchRequest.CallerAccessTypeValueValuesEnumirrr r(rNrrrrrrrrrr r(r:rQrXrYTr*rNrrrrrrrrrc:\rSrSrSr\R "SSS9rSrg)JPrivilegedaccessmanagerOrganizationsLocationsFetchEffectiveSettingsRequestiaA PrivilegedaccessmanagerOrganizationsLocationsFetchEffectiveSettingsRequest object. Fields: parent: Required. The resource for which the effective settings should be fetched. Should be in one of the following formats: * `projects/{project-number|project-id}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `organizations/{organization-number}/locations/{region}` r Tr*rNr,rrrrrrrrc:\rSrSrSr\R "SSS9rSrg)7PrivilegedaccessmanagerOrganizationsLocationsGetRequestizsA PrivilegedaccessmanagerOrganizationsLocationsGetRequest object. Fields: name: Resource name for the location. r Tr*rNr<rrrrrr=rrc:\rSrSrSr\R "SSS9rSrg)?PrivilegedaccessmanagerOrganizationsLocationsGetSettingsRequestizA PrivilegedaccessmanagerOrganizationsLocationsGetSettingsRequest object. Fields: name: Required. The name of the settings resource to be fetched. r Tr*rNr<rrrrrrNrrc\rSrSrSr\R "SSS9r\R "S5r\R "SSS9r \R"S \RRS 9r \R "S 5rS rg )8PrivilegedaccessmanagerOrganizationsLocationsListRequestia A PrivilegedaccessmanagerOrganizationsLocationsListRequest object. Fields: extraLocationTypes: Optional. Do not use this field. It is unsupported and is ignored unless explicitly documented otherwise. This is primarily for internal usage. filter: A filter to narrow down results to a preferred subset. The filtering language accepts strings like `"displayName=tokyo"`, and is documented in more detail in [AIP-160](https://google.aip.dev/160). name: The resource that owns the locations collection, if applicable. pageSize: The maximum number of results to return. If not set, the service selects a default. pageToken: A page token received from the `next_page_token` field in the response. Send that page token to receive the subsequent page. r Tr r(r:r*rXrQrYrNrrrrrrrrrc:\rSrSrSr\R "SSS9rSrg)DPrivilegedaccessmanagerOrganizationsLocationsOperationsDeleteRequestizA PrivilegedaccessmanagerOrganizationsLocationsOperationsDeleteRequest object. Fields: name: The name of the operation resource to be deleted. r Tr*rNr<rrrrrrNrrc:\rSrSrSr\R "SSS9rSrg)APrivilegedaccessmanagerOrganizationsLocationsOperationsGetRequestizA PrivilegedaccessmanagerOrganizationsLocationsOperationsGetRequest object. Fields: name: The name of the operation resource. r Tr*rNr<rrrrrrNrrc\rSrSrSr\R "S5r\R "SSS9r\R"S\RRS9r \R "S 5r \R"S 5rS rg ) BPrivilegedaccessmanagerOrganizationsLocationsOperationsListRequestiaA PrivilegedaccessmanagerOrganizationsLocationsOperationsListRequest object. Fields: filter: The standard list filter. name: The name of the operation's parent resource. pageSize: The standard list page size. pageToken: The standard list page token. returnPartialSuccess: When set to `true`, operations that are reachable are returned as normal, and those that are unreachable are returned in the [ListOperationsResponse.unreachable] field. This can only be `true` when reading across collections e.g. when `parent` is set to `"projects/example/locations/-"`. This field is not by default supported and will result in an `UNIMPLEMENTED` error if set unless explicitly documented otherwise in service or product specific documentation. r r(Tr*r:rQrXrYrNrrrrrrsj"   #&   q4 0$  # #Ay/@/@/F/F G(##A&)"//2rrc\rSrSrSr\R "SSS9r\R"SS5r \R "S5r S r g ) BPrivilegedaccessmanagerOrganizationsLocationsUpdateSettingsRequestiaA PrivilegedaccessmanagerOrganizationsLocationsUpdateSettingsRequest object. Fields: name: Identifier. Name of the settings resource. Possible formats: projects/{project-id|project-number}/locations/{location}/settings folders/{folder-number}/locations/{location}/settings organizations/{organization-number}/locations/{location}/settings settings: A Settings resource to be passed as the request body. updateMask: Required. The list of fields to update. A field is overwritten if, and only if, it is in the mask. Any immutable fields set in the mask are ignored by the server. Repeated fields and map fields are only allowed in the last position of a `paths` string and overwrite the existing values. Hence an update to a repeated field or a map should contain the entire list of values. The fields specified in the update_mask are relative to the resource and not to the request. A value of '*' for this field refers to full replacement of the resource. r Tr*rr(r:rNrrrrrrs=&   q4 0$  # #J 2($$Q'*rrc:\rSrSrSr\R "SSS9rSrg)DPrivilegedaccessmanagerProjectsLocationsCheckOnboardingStatusRequesti5aA PrivilegedaccessmanagerProjectsLocationsCheckOnboardingStatusRequest object. Fields: parent: Required. The resource for which the onboarding status should be checked. Should be in one of the following formats: * `projects/{project-number|project-id}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `organizations/{organization-number}/locations/{region}` r Tr*rNr,rrrrr5r-rrc\rSrSrSr\R "SS5r\R"S5r \R"SSS9r \R"S 5r S r g ) APrivilegedaccessmanagerProjectsLocationsEntitlementsCreateRequestiDaaA PrivilegedaccessmanagerProjectsLocationsEntitlementsCreateRequest object. Fields: entitlement: A Entitlement resource to be passed as the request body. entitlementId: Required. The ID to use for this entitlement. This becomes the last part of the resource name. This value should be 4-63 characters in length, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other entitlements under the specified `parent`. parent: Required. Name of the parent resource for the entitlement. Possible formats: * `organizations/{organization- number}/locations/{region}` * `folders/{folder- number}/locations/{region}` * `projects/{project-id|project- number}/locations/{region}` requestId: Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request and returns the previous operation's response. This prevents clients from accidentally creating duplicate entitlements. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). rSr r(r:Tr*rXrNr0rrrrrDr4rrc\rSrSrSr\R "S5r\R"SSS9r \R"S5r Sr g ) APrivilegedaccessmanagerProjectsLocationsEntitlementsDeleteRequestihaA PrivilegedaccessmanagerProjectsLocationsEntitlementsDeleteRequest object. Fields: force: Optional. If set to true, any child grant under this entitlement is also deleted. (Otherwise, the request only works if the entitlement has no child grant.) name: Required. Name of the resource. requestId: Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). r r(Tr*r:rNr7rrrrrhr9rrc:\rSrSrSr\R "SSS9rSrg)>PrivilegedaccessmanagerProjectsLocationsEntitlementsGetRequestizzA PrivilegedaccessmanagerProjectsLocationsEntitlementsGetRequest object. Fields: name: Required. Name of the resource. r Tr*rNr<rrrrrr=rrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) HPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsApproveRequestizA PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsApproveRequest object. Fields: approveGrantRequest: A ApproveGrantRequest resource to be passed as the request body. name: Required. Name of the grant resource which is being approved. r2r r(Tr*rNr@rrrrrrBrrc\rSrSrSr\R "SS5r\R"SSS9r \R"S5r S r g ) GPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsCreateRequestiaA PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsCreateRequest object. Fields: grant: A Grant resource to be passed as the request body. parent: Required. Name of the parent entitlement for which this grant is being requested. requestId: Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. This prevents clients from accidentally creating duplicate grants. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000). rr r(Tr*r:rNrErrrrrrrrc`\rSrSrSr\R "SS5r\R"SSS9r Sr g ) EPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsDenyRequestizA PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsDenyRequest object. Fields: denyGrantRequest: A DenyGrantRequest resource to be passed as the request body. name: Required. Name of the grant resource which is being denied. rMr r(Tr*rNrIrrrrrrKrrc:\rSrSrSr\R "SSS9rSrg)DPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsGetRequestizA PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsGetRequest object. Fields: name: Required. Name of the resource. r Tr*rNr<rrrrrrNrrc\rSrSrSr\R "S5r\R "S5r\R"S\RRS9r \R "S5r \R "SS S 9rS rg ) EPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsListRequestiaA PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsListRequest object. Fields: filter: Optional. Filtering results. orderBy: Optional. Hint for how to order the results pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent resource which owns the grants. r r(r:rQrXrYTr*rNrSrrrrrr[rrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) GPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsRevokeRequestizA PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsRevokeRequest object. Fields: name: Required. Name of the grant resource which is being revoked. revokeGrantRequest: A RevokeGrantRequest resource to be passed as the request body. r Tr*r^r(rNr_rrrrrrrrc\rSrSrSr"SS\R 5r\R"SS5r \R"S5r \R"S\RRS9r\R"S 5r\R"S S S 9rS rg)GPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsSearchRequestiaA PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsSearchRequest object. Enums: CallerRelationshipValueValuesEnum: Required. Only grants which the caller is related to by this relationship are returned in the response. Fields: callerRelationship: Required. Only grants which the caller is related to by this relationship are returned in the response. filter: Optional. Only grants matching this filter are returned in the response. pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the grant resources. c(\rSrSrSrSrSrSrSrSr g) iPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsSearchRequest.CallerRelationshipValueValuesEnumirerr r(r:rNrfrrrrkrrlrrkr r(r:rQrXrYTr*rNrmrrrrrrrrc`\rSrSrSr\R "SSS9r\R"SS5r Sr g ) IPrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsWithdrawRequesti"aA PrivilegedaccessmanagerProjectsLocationsEntitlementsGrantsWithdrawRequest object. Fields: name: Required. Name of the grant resource which is being withdrawn. withdrawGrantRequest: A WithdrawGrantRequest resource to be passed as the request body. r Tr*rqr(rNrrrrrrr"rtrrc\rSrSrSr\R "S5r\R "S5r\R"S\RRS9r \R "S5r \R "SS S 9rS rg ) ?PrivilegedaccessmanagerProjectsLocationsEntitlementsListRequesti1aA PrivilegedaccessmanagerProjectsLocationsEntitlementsListRequest object. Fields: filter: Optional. Filtering results. orderBy: Optional. Hint for how to order the results. pageSize: Optional. Requested page size. Server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the entitlement resources. r r(r:rQrXrYTr*rNrSrrrrr1r[rrc\rSrSrSr\R "SS5r\R"SSS9r \R"S5r S r g ) @PrivilegedaccessmanagerProjectsLocationsEntitlementsPatchRequestiFaA PrivilegedaccessmanagerProjectsLocationsEntitlementsPatchRequest object. Fields: entitlement: A Entitlement resource to be passed as the request body. name: Identifier. Name of the entitlement. Possible formats: * `organizations/{organization- number}/locations/{region}/entitlements/{entitlement-id}` * `folders/{folder-number}/locations/{region}/entitlements/{entitlement- id}` * `projects/{project-id|project- number}/locations/{region}/entitlements/{entitlement-id}` updateMask: Required. The list of fields to update. A field is overwritten if, and only if, it is in the mask. Any immutable fields set in the mask are ignored by the server. Repeated fields and map fields are only allowed in the last position of a `paths` string and overwrite the existing values. Hence an update to a repeated field or a map should contain the entire list of values. The fields specified in the update_mask are relative to the resource and not to the request. (e.g. `MaxRequestDuration`; *not* `entitlement.MaxRequestDuration`) A value of '*' for this field refers to full replacement of the resource. rSr r(Tr*r:rNryrrrrrFr{rrc\rSrSrSr"SS\R 5r\R"SS5r \R"S5r \R"S\RRS9r\R"S 5r\R"S S S 9rS rg)APrivilegedaccessmanagerProjectsLocationsEntitlementsSearchRequestibaA PrivilegedaccessmanagerProjectsLocationsEntitlementsSearchRequest object. Enums: CallerAccessTypeValueValuesEnum: Required. Only entitlements where the calling user has this access are returned. Fields: callerAccessType: Required. Only entitlements where the calling user has this access are returned. filter: Optional. Only entitlements matching this filter are returned in the response. pageSize: Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default. pageToken: Optional. A token identifying a page of results the server should return. parent: Required. The parent which owns the entitlement resources. c$\rSrSrSrSrSrSrSrg)aPrivilegedaccessmanagerProjectsLocationsEntitlementsSearchRequest.CallerAccessTypeValueValuesEnumivrrr r(rNrrrrrrvrrrr r(r:rQrXrYTr*rNrrrrrrbrrrc:\rSrSrSr\R "SSS9rSrg)EPrivilegedaccessmanagerProjectsLocationsFetchEffectiveSettingsRequestiaA PrivilegedaccessmanagerProjectsLocationsFetchEffectiveSettingsRequest object. Fields: parent: Required. The resource for which the effective settings should be fetched. Should be in one of the following formats: * `projects/{project-number|project-id}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `organizations/{organization-number}/locations/{region}` r Tr*rNr,rrrrrr-rrc:\rSrSrSr\R "SSS9rSrg)2PrivilegedaccessmanagerProjectsLocationsGetRequestiznA PrivilegedaccessmanagerProjectsLocationsGetRequest object. Fields: name: Resource name for the location. r Tr*rNr<rrrrrr=rrc:\rSrSrSr\R "SSS9rSrg):PrivilegedaccessmanagerProjectsLocationsGetSettingsRequestizA PrivilegedaccessmanagerProjectsLocationsGetSettingsRequest object. Fields: name: Required. The name of the settings resource to be fetched. r Tr*rNr<rrrrrr=rrc\rSrSrSr\R "SSS9r\R "S5r\R "SSS9r \R"S \RRS 9r \R "S 5rS rg )3PrivilegedaccessmanagerProjectsLocationsListRequestiaA PrivilegedaccessmanagerProjectsLocationsListRequest object. Fields: extraLocationTypes: Optional. Do not use this field. It is unsupported and is ignored unless explicitly documented otherwise. This is primarily for internal usage. filter: A filter to narrow down results to a preferred subset. The filtering language accepts strings like `"displayName=tokyo"`, and is documented in more detail in [AIP-160](https://google.aip.dev/160). name: The resource that owns the locations collection, if applicable. pageSize: The maximum number of results to return. If not set, the service selects a default. pageToken: A page token received from the `next_page_token` field in the response. Send that page token to receive the subsequent page. r Tr r(r:r*rXrQrYrNrrrrrrrrrc:\rSrSrSr\R "SSS9rSrg)?PrivilegedaccessmanagerProjectsLocationsOperationsDeleteRequestizA PrivilegedaccessmanagerProjectsLocationsOperationsDeleteRequest object. Fields: name: The name of the operation resource to be deleted. r Tr*rNr<rrrrrrNrrc:\rSrSrSr\R "SSS9rSrg)\rSrSrSr\R "SS5rSrg)ri zPrivileged access that is requested by a user via a grant. Fields: gcpIamAccess: Access to a Google Cloud resource through IAM. %RequestedPrivilegedAccessGcpIamAccessr rNr&rrrrr s ''(OQRS,rrc\rSrSrSr\R "S5r\R "S5r\R"SSSS9r S r g ) ri! aW`GcpIamAccess` represents IAM based access control on a Google Cloud resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Fields: resource: Required. Name of the resource. resourceType: Required. The type of this resource. roleBindings: Optional. Role bindings that are requested as part of the grant. r r(0RequestedPrivilegedAccessGcpIamAccessRoleBindingr:Tr rNrrrrrr! s@  " "1 %(&&q),''(Z\]hlm,rrc\\rSrSrSr\R "SSS9r\R "SSS9rSr g) 7RequestedPrivilegedAccessGcpIamAccessAccessRestrictionsi2 a5AccessRestrictions represents a set of resources to further restrict the access to. This is used to get finer grained access as part of a grant. All restrictions are OR-ed with each other. Fields: resourceNamePrefixes: Optional. The resource name prefixes to restrict the access to. Follow https://cloud.google.com/iam/docs/conditions-resource- attributes#resource-name format. resourceNames: Optional. The resource names to restrict the access to. Follow https://cloud.google.com/iam/docs/conditions-resource- attributes#resource-name format. r Tr r(rN) rrrrrrrresourceNamePrefixes resourceNamesrrrrrr2 s. #..q4@''D9-rrc\rSrSrSr\R "SS5r\R"S5r \R"S5r \R"S5r Sr g ) riD a,IAM role bindings that are requested as part of the grant. Fields: accessRestrictions: Optional. The access restrictions to be applied to the role binding. This further restricts the access of this role binding to specific resources. entitlementConditionExpression: Output only. The IAM condition expression associated with the role at the time of grant request. entitlementRoleBindingId: Required. The role binding id of the role to be granted from the entitlement. role: Output only. The IAM role requested as part of the grant. rr r(r:rXrN) rrrrrrr#accessRestrictionsrentitlementConditionExpressionentitlementRoleBindingIdrolerrrrrrD sP !--.gijk#,#8#8#; &2215   q !$rrcd\rSrSrSr\R "SS5r\R "SS5rSr g) reiX a~Defines how a requester must provide a justification when requesting access. Fields: notMandatory: This option means the requester isn't required to provide a justification. unstructured: This option means the requester must provide a string as justification. If this is selected, the server allows the requester to provide a justification but doesn't validate it. rr Unstructuredr(rN) rrrrrrr# notMandatory unstructuredrrrrrereX s- '':,'':,rrec<\rSrSrSr\R "S5rSrg)r^ih zkRequest message for `RevokeGrant` method. Fields: reason: Optional. The reason for revoking this grant. r rNr4rrrr^r^h s   #&rr^c`\rSrSrSr\R "S5r\R "S5rSr g)r|ir zAn event representing that the grant was revoked. Fields: actor: Output only. Username of the user who revoked the grant. reason: Output only. The reason provided by the user for revoking the grant. r r(rN) rrrrrrrr<r5rrrrr|r|r s)    "%   #&rr|c\rSrSrSr\R "S5r\R "S5r\R "S5r Sr g)ri a4IAM role bindings that are created after a successful grant. Fields: conditionExpression: Optional. The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement is able to access the resource only if this condition evaluates to true for their request. This field uses the same CEL format as IAM and supports all attributes that IAM supports, except tags. https://cloud.google.com/iam/docs/conditions-overview#attributes. id: Output only. The ID corresponding to this role binding in the policy binding. This will be unique within an entitlement across time. Gets re- generated each time the entitlement is updated. role: Required. IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview. r r(r:rN) rrrrrrrconditionExpressionidrrrrrrr s: "--a0Q"   q !$rrc<\rSrSrSr\R "S5rSrg)r}i zAn event representing that the grant has been scheduled to be activated later. Fields: scheduledActivationTime: Output only. The time at which the access is granted. r rN) rrrrrrrscheduledActivationTimerrrrr}r} s&11!4rr}c`\rSrSrSr\R "SSSS9r\R"S5r Sr g ) SearchEntitlementsResponsei zResponse message for `SearchEntitlements` method. Fields: entitlements: The list of entitlements. nextPageToken: A token identifying a page of results the server should return. rSr Tr r(rN) rrrrrrr#rrrrrrrr'r' s-'' q4H,''*-rr'c`\rSrSrSr\R "SSSS9r\R"S5r Sr g ) SearchGrantsResponsei zResponse message for `SearchGrants` method. Fields: grants: The list of grants. nextPageToken: A token identifying a page of results the server should return. rr Tr r(rN) rrrrrrr#rrrrrrrr)r) s-  ! !'1t <&''*-rr)c\rSrSrSr\R "S5r\R"SS5r \R "S5r \R "S5r \R"SS 5r \R "S 5r S rg ) ri a`Settings` resource defines the properties, applied directly to the resource or inherited through the hierarchy, to enable consistent, federated use of PAM. The behavior is as follows: 1. If explicitly set to empty at the node level, PAM's default settings are applied for that node. 2. If not set at the node level, settings are inherited from the closest ancestor with a non-empty value. If none of the ancestors has the field set, PAM's default settings are applied. 3. If explicitly set to a non-empty value at the node level, the specified settings are applied for that node. Fields: createTime: Output only. Create timestamp. emailNotificationSettings: Optional. `EmailNotificationSettings` defines node-wide email notification preferences for various PAM events. etag: Fingerprint for optimistic concurrency returned in the response of `GetSettings`. Must be provided in the requests to `UpdateSettings`. If the value provided does not match the value known to the server, ABORTED will be thrown, and the client should retry the read-modify-write cycle. name: Identifier. Name of the settings resource. Possible formats: projects/{project-id|project-number}/locations/{location}/settings folders/{folder-number}/locations/{location}/settings organizations/{organization-number}/locations/{location}/settings serviceAccountApproverSettings: Optional. This controls the node-level settings for allowing service accounts as approvers. updateTime: Output only. Update timestamp. r !SettingsEmailNotificationSettingsr(r:rX&SettingsServiceAccountApproverSettingsrYrarN)rrrrrrrrlr#rrnrprrurrrrrr ss4$$Q'*'445XZ[\   q !$   q !$#,#9#9:bde#f $$Q'*rrcd\rSrSrSr\R "SS5r\R "SS5rSr g) r+i z`EmailNotificationSettings` defines the node-wide email notification settings. Fields: customNotificationBehavior: Granular settings of notifications. disableAllNotifications: Disable all notifications. ;SettingsEmailNotificationSettingsCustomNotificationBehaviorr 8SettingsEmailNotificationSettingsDisableAllNotificationsr(rN) rrrrrrr#rrrrrrr+r+ s3 )556suvw%223mopqrr+c\rSrSrSr\R "SS5r\R "SS5r\R "SS5r S r g ) r.i a`CustomNotificationBehavior` provides granular control over email notification delivery. Allows admins to selectively enable/disable notifications for specific events and specific personas. Fields: adminNotifications: Optional. Admin email notifications. approverNotifications: Optional. Approver email notifications. requesterNotifications: Optional. Requester email notifications. MSettingsEmailNotificationSettingsCustomNotificationBehaviorAdminNotificationsr PSettingsEmailNotificationSettingsCustomNotificationBehaviorApproverNotificationsr(QSettingsEmailNotificationSettingsCustomNotificationBehaviorRequesterNotificationsr:rNrrrrr.r. sc!--.}@AB#002DFGH$113FHIJrr.cX\rSrSrSr"SS\R 5r"SS\R 5r"SS\R 5r "S S \R 5r \R"SS 5r \R"SS 5r \R"SS 5r\R"S S5rSrg)r1i aEmail notifications specific to Admins. Enums: GrantActivatedValueValuesEnum: Optional. Notification mode for grant activated. GrantActivationFailedValueValuesEnum: Optional. Notification mode for grant activation failed. GrantEndedValueValuesEnum: Optional. Notification mode for grant ended. GrantExternallyModifiedValueValuesEnum: Optional. Notification mode for grant externally modified. Fields: grantActivated: Optional. Notification mode for grant activated. grantActivationFailed: Optional. Notification mode for grant activation failed. grantEnded: Optional. Notification mode for grant ended. grantExternallyModified: Optional. Notification mode for grant externally modified. c$\rSrSrSrSrSrSrSrg)kSettingsEmailNotificationSettingsCustomNotificationBehaviorAdminNotifications.GrantActivatedValueValuesEnumi Optional. Notification mode for grant activated. Values: NOTIFICATION_MODE_UNSPECIFIED: Default notification behavior following PAM's standard settings. ENABLED: Notifications are enabled. DISABLED: Notifications are disabled. rr r(rN rrrrrNOTIFICATION_MODE_UNSPECIFIEDENABLEDDISABLEDrrrrGrantActivatedValueValuesEnumr6 %&!GHrr<c$\rSrSrSrSrSrSrSrg)rSettingsEmailNotificationSettingsCustomNotificationBehaviorAdminNotifications.GrantActivationFailedValueValuesEnumi Optional. Notification mode for grant activation failed. Values: NOTIFICATION_MODE_UNSPECIFIED: Default notification behavior following PAM's standard settings. ENABLED: Notifications are enabled. DISABLED: Notifications are disabled. rr r(rNr8rrr$GrantActivationFailedValueValuesEnumr? r=rrAc$\rSrSrSrSrSrSrSrg)gSettingsEmailNotificationSettingsCustomNotificationBehaviorAdminNotifications.GrantEndedValueValuesEnumi* Optional. Notification mode for grant ended. Values: NOTIFICATION_MODE_UNSPECIFIED: Default notification behavior following PAM's standard settings. ENABLED: Notifications are enabled. DISABLED: Notifications are disabled. rr r(rNr8rrrGrantEndedValueValuesEnumrC* r=rrEc$\rSrSrSrSrSrSrSrg)tSettingsEmailNotificationSettingsCustomNotificationBehaviorAdminNotifications.GrantExternallyModifiedValueValuesEnumi7 Optional. Notification mode for grant externally modified. Values: NOTIFICATION_MODE_UNSPECIFIED: Default notification behavior following PAM's standard settings. ENABLED: Notifications are enabled. DISABLED: Notifications are disabled. rr r(rNr8rrr&GrantExternallyModifiedValueValuesEnumrG7 r=rrIr r(r:rXrN)rrrrrrrir<rArErIrsgrantActivatedgrantActivationFailed grantEndedgrantExternallyModifiedrrrrr1r1 s( inn  Y^^  )..  y~~ &&'FJ.#--.TVWX""#>B*%//0XZ[\rr1ch\rSrSrSr"SS\R 5r\R"SS5r Sr g)r2iJ zEmail notifications specific to Approvers. Enums: PendingApprovalValueValuesEnum: Optional. Notification mode for pending approval. Fields: pendingApproval: Optional. Notification mode for pending approval. c$\rSrSrSrSrSrSrSrg)oSettingsEmailNotificationSettingsCustomNotificationBehaviorApproverNotifications.PendingApprovalValueValuesEnumiU zOptional. Notification mode for pending approval. Values: NOTIFICATION_MODE_UNSPECIFIED: Default notification behavior following PAM's standard settings. ENABLED: Notifications are enabled. DISABLED: Notifications are disabled. rr r(rNr8rrrPendingApprovalValueValuesEnumrPU r=rrQr rN) rrrrrrrirQrspendingApprovalrrrrr2r2J s, y~~ ''(H!L/rr2c\rSrSrSr"SS\R 5r"SS\R 5r"SS\R 5r "S S \R 5r "S S \R 5r "S S\R 5r "SS\R 5r "SS\R 5r\R"SS5r\R"SS5r\R"SS5r\R"S S5r\R"S S5r\R"SS5r\R"SS5r\R"SS5rSrg)r3ie aAEmail notifications specific to Requesters. Enums: EntitlementAssignedValueValuesEnum: Optional. Notification mode for entitlement assigned. GrantActivatedValueValuesEnum: Optional. Notification mode for grant activated. GrantActivationFailedValueValuesEnum: Optional. Notification mode for grant activation failed. GrantDeniedValueValuesEnum: Optional. Notification mode for grant denied. GrantEndedValueValuesEnum: Optional. Notification mode for grant ended. GrantExpiredValueValuesEnum: Optional. Notification mode for grant request expired. GrantExternallyModifiedValueValuesEnum: Optional. Notification mode for grant externally modified. GrantRevokedValueValuesEnum: Optional. Notification mode for grant revoked. Fields: entitlementAssigned: Optional. Notification mode for entitlement assigned. grantActivated: Optional. Notification mode for grant activated. grantActivationFailed: Optional. Notification mode for grant activation failed. grantDenied: Optional. Notification mode for grant denied. grantEnded: Optional. Notification mode for grant ended. grantExpired: Optional. Notification mode for grant request expired. grantExternallyModified: Optional. Notification mode for grant externally modified. grantRevoked: Optional. Notification mode for grant revoked. c$\rSrSrSrSrSrSrSrg)tSettingsEmailNotificationSettingsCustomNotificationBehaviorRequesterNotifications.EntitlementAssignedValueValuesEnumi zOptional. Notification mode for entitlement assigned. Values: NOTIFICATION_MODE_UNSPECIFIED: Default notification behavior following PAM's standard settings. ENABLED: Notifications are enabled. DISABLED: Notifications are disabled. rr r(rNr8rrr"EntitlementAssignedValueValuesEnumrU r=rrVc$\rSrSrSrSrSrSrSrg)oSettingsEmailNotificationSettingsCustomNotificationBehaviorRequesterNotifications.GrantActivatedValueValuesEnumi r7rr r(rNr8rrrr<rX r=rr<c$\rSrSrSrSrSrSrSrg)vSettingsEmailNotificationSettingsCustomNotificationBehaviorRequesterNotifications.GrantActivationFailedValueValuesEnumi r@rr r(rNr8rrrrArZ r=rrAc$\rSrSrSrSrSrSrSrg)lSettingsEmailNotificationSettingsCustomNotificationBehaviorRequesterNotifications.GrantDeniedValueValuesEnumi zOptional. Notification mode for grant denied. Values: NOTIFICATION_MODE_UNSPECIFIED: Default notification behavior following PAM's standard settings. ENABLED: Notifications are enabled. DISABLED: Notifications are disabled. rr r(rNr8rrrGrantDeniedValueValuesEnumr\ r=rr]c$\rSrSrSrSrSrSrSrg)kSettingsEmailNotificationSettingsCustomNotificationBehaviorRequesterNotifications.GrantEndedValueValuesEnumi rDrr r(rNr8rrrrEr_ r=rrEc$\rSrSrSrSrSrSrSrg)mSettingsEmailNotificationSettingsCustomNotificationBehaviorRequesterNotifications.GrantExpiredValueValuesEnumi zOptional. Notification mode for grant request expired. Values: NOTIFICATION_MODE_UNSPECIFIED: Default notification behavior following PAM's standard settings. ENABLED: Notifications are enabled. DISABLED: Notifications are disabled. rr r(rNr8rrrGrantExpiredValueValuesEnumra r=rrbc$\rSrSrSrSrSrSrSrg)xSettingsEmailNotificationSettingsCustomNotificationBehaviorRequesterNotifications.GrantExternallyModifiedValueValuesEnumi rHrr r(rNr8rrrrIrd r=rrIc$\rSrSrSrSrSrSrSrg)mSettingsEmailNotificationSettingsCustomNotificationBehaviorRequesterNotifications.GrantRevokedValueValuesEnumi zOptional. Notification mode for grant revoked. Values: NOTIFICATION_MODE_UNSPECIFIED: Default notification behavior following PAM's standard settings. ENABLED: Notifications are enabled. DISABLED: Notifications are disabled. rr r(rNr8rrrGrantRevokedValueValuesEnumrf r=rrgr r(r:rXrYrarbrdrN)rrrrrrrirVr<rAr]rErbrIrgrsentitlementAssignedrJrK grantDeniedrL grantExpiredrM grantRevokedrrrrr3r3e s'> 9>>  inn  Y^^  9>>  )..  INN  y~~  INN "++,PRST&&'FJ.#--.TVWX##$@!D+""#>B*$$%BAF,%//0XZ[\$$%BAF,rr3c\rSrSrSrSrg)r/i rrNrrrrr/r/ rrr/c<\rSrSrSr\R "S5rSrg)r,i zThis controls whether service accounts are allowed to approve grants or can be designated as approvers within PAM entitlements. Fields: enabled: Optional. Indicates whether service account is allowed to grant approvals. r rN) rrrrrrrrrrrrr,r, s  " "1 %'rr,c\rSrSrSr"SS\R 5r"SS\R 5r\R"SS5r \R"S5r \R"SS S S 9r \R"S 5r\R"S 5r\R"S5r\R"S5r\R$"SSS 9r\R"S5r\R"S5r\R"S5r\R"S5rSrg)StandardQueryParametersi aQuery parameters accepted by all methods. Enums: FXgafvValueValuesEnum: V1 error format. AltValueValuesEnum: Data format for response. Fields: f__xgafv: V1 error format. access_token: OAuth access token. alt: Data format for response. callback: JSONP fields: Selector specifying which fields to include in a partial response. key: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token. oauth_token: OAuth 2.0 token for the current user. prettyPrint: Returns response with indentations and line breaks. quotaUser: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters. trace: A tracing token of the form "token:" to include in api requests. uploadType: Legacy upload protocol for media (e.g. "media", "multipart"). upload_protocol: Upload protocol for media (e.g. "raw", "multipart"). c$\rSrSrSrSrSrSrSrg)*StandardQueryParameters.AltValueValuesEnumi" zData format for response. Values: json: Responses with Content-Type of application/json media: Media download with context-dependent Content-Type proto: Responses with Content-Type of application/x-protobuf rr r(rN) rrrrrjsonmediaprotorrrrAltValueValuesEnumrq" s D E Erruc \rSrSrSrSrSrSrg)-StandardQueryParameters.FXgafvValueValuesEnumi. zFV1 error format. Values: _1: v1 error format _2: v2 error format rr rN)rrrrr_1_2rrrrFXgafvValueValuesEnumrw. s B Brrzr r(r:rr)defaultrXrYrarbrdTrfrgrhrrN)rrrrrrrirurzrsf__xgafvr access_tokenaltcallbackfieldsr oauth_tokenr prettyPrint quotaUsertrace uploadTypeupload_protocolrrrrroro s4 9>>  inn  !8! <(&&q),0!VD#  " "1 %(   #&a #%%a(+&&q$7+##A&)    #%$$R(*))"-/rroc\rSrSrSr\R "S5"SS\R55r \R"S\RRS9r \R"SSS S 9r\R "S 5rS rg )r"iF aThe `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). Messages: DetailsValueListEntry: A DetailsValueListEntry object. Fields: code: The status code, which should be an enum value of google.rpc.Code. details: A list of messages that carry the error details. There is a common set of message types for APIs to use. message: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. rcf\rSrSrSr"SS\R 5r\R"SSSS9r Sr g ) Status.DetailsValueListEntryiZ zA DetailsValueListEntry object. Messages: AdditionalProperty: An additional property for a DetailsValueListEntry object. Fields: additionalProperties: Properties of the object. Contains field @type with type URL. cb\rSrSrSr\R "S5r\R"SS5r Sr g)/Status.DetailsValueListEntry.AdditionalPropertyig zAn additional property for a DetailsValueListEntry object. Fields: key: Name of the additional property. value: A extra_types.JsonValue attribute. r rr(rNrrrrrrg rrrr Tr rNrrrrDetailsValueListEntryrZ rrrr rQr(Tr r:rN)rrrrrrrrrrrVrWrXcoder#detailsrmessagerrrrr"r"F s|& !!"89Zi//Z:Z2   9+<+<+B+B C$  " "#:A M'  ! !! $'rr"c\rSrSrSr\R "S\RRS9r \R"SSS9r \R"SS SS9r \R"S 5rS rg ) r iy akStep represents a logical step in a manual approval workflow. Fields: approvalsNeeded: Required. How many users from the above list need to approve. If there aren't enough distinct users in the list, then the workflow indefinitely blocks. Should always be greater than 0. 1 is the only supported value. approverEmailRecipients: Optional. Additional email addresses to be notified when a grant is pending approval. approvers: Optional. The potential set of approvers in this step. This list must contain at most one entry. id: Output only. Step ID used to identify the step in the workflow. r rQr(Tr r r:rXrN)rrrrrrrVrWrXapprovalsNeededrapproverEmailRecipientsr# approversr#rrrrr r y s_ **1i6G6G6M6MN/%11!dC$$%91tL)Q"rr c<\rSrSrSr\R "SSSS9rSrg) ri a<Timeline of a grant describing what happened to it and when. Fields: events: Output only. The events that have occurred on this grant. This list contains entries in the same order as they occurred. The first entry is always be of type `Requested` and there is always at least one entry in this array. rwr Tr rN) rrrrrrr#eventsrrrrrr s  ! !'1t <&rrc\rSrSrSrSrg)ri zEThe requester has to provide a justification in the form of a string.rNrrrrrr sNrrc\rSrSrSrSrg)rqi z+Request message for `WithdrawGrant` method.rNrrrrrqrq s4rrqc\rSrSrSrSrg)r~i z3An event representing that the grant was withdrawn.rNrrrrr~r~ srs\ "'<%( $ 7** 7J !!J.y((. EI$5$5 E Ay(( A $)++ $ $y  $ ."" . ,I$5$5 , $Y   $ $y(( $9I  9F))##F)R"6I  "6J;i;**}Y%6%6}*$i>O>O$& `XaXiXi `O>O11iFWFW1'y?P?P'019K\K\11 HYHY13IZIZ32(IZIZ(2 39K\K\ 3!' HYHY!'H' HYHY'41YEVEV1 1yO`O` 1'iN_N_'6 1IL]L] 119K\K\13IL]L]3* GiN_N_ G,3iN_N_,3^ KPYPaPa K3iFWFW3*(yGXGX(8'3 HYHY'3T 3IL]L] 319J9J11ARAR1'):K:K'01iFWFW119CTCT13IDUDU30(IDUDU(0( !!(T 1 1TnI,=,=n":i>O>O:$"y7H7H"( ;9#4#4 ; $**$ $i $")##", 5 !! 5 +!2!2 + +9,, + (y  (F r (9(9 r J)BSBS J L]T]TeTeL]^MW`WhWhM6OGXaXiXiOGdJy?P?PJ &Y->-> &<.i//<.~0%Y  0%f 9   * =y  =O9$$O59,,5= !!= ""Z4!!114>!!114>r