// Copyright (c) 2015, Google Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.iam.v1; import "google/iam/v1/policy.proto"; option java_multiple_files = true; option java_outer_classname = "IamPolicyProto"; option java_package = "com.google.iam.v1"; // ## API Overview // // Any implementation of an API that offers access control features // implements the google.iam.v1.IAMPolicy interface. // // ## Data model // // Access control is applied when a principal (user or service account), takes // some action on a resource exposed by a service. Resources, identified by // URI-like names, are the unit of access control specification. Service // implementations can choose the granularity of access control and the // supported permissions for their resources. // For example one database service may allow access control to be // specified only at the Table level, whereas another might allow access control // to also be specified at the Column level. // // ## Policy Structure // // See google.iam.v1.Policy // // This is intentionally not a CRUD style API because access control policies // are created and deleted implicitly with the resources to which they are // attached. service IAMPolicy { // Sets the access control policy on the specified resource. Replaces any // existing policy. rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy); // Gets the access control policy for a resource. Is empty if the // policy or the resource does not exist. rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy); // Returns permissions that a caller has on the specified resource. rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse); } // Request message for `SetIamPolicy` method. message SetIamPolicyRequest { // REQUIRED: The resource for which policy is being specified. // Resource is usually specified as a path, such as, // projects/{project}/zones/{zone}/disks/{disk}. string resource = 1; // REQUIRED: The complete policy to be applied to the 'resource'. The size of // the policy is limited to a few 10s of KB. An empty policy is in general a // valid policy but certain services (like Projects) might reject them. Policy policy = 2; } // Request message for `GetIamPolicy` method. message GetIamPolicyRequest { // REQUIRED: The resource for which policy is being requested. Resource // is usually specified as a path, such as, projects/{project}. string resource = 1; } // Request message for `TestIamPermissions` method. message TestIamPermissionsRequest { // REQUIRED: The resource for which policy detail is being requested. // Resource is usually specified as a path, such as, projects/{project}. string resource = 1; // The set of permissions to check for the 'resource'. Permissions with // wildcards (such as '*' or 'storage.*') are not allowed. repeated string permissions = 2; } // Response message for `TestIamPermissions` method. message TestIamPermissionsResponse { // A subset of `TestPermissionsRequest.permissions` that the caller is // allowed. repeated string permissions = 1; }