access_approval_settings
Creates, updates, deletes, gets or lists an access_approval_settings resource.
Overview
| Name | access_approval_settings |
| Type | Resource |
| Id | google.accessapproval.access_approval_settings |
Fields
The following fields are returned by SELECT queries:
- organizations_get_access_approval_settings
- projects_get_access_approval_settings
- folders_get_access_approval_settings
| Name | Datatype | Description |
|---|---|---|
name | string | The resource name of the settings. Format is one of: * "projects/{project}/accessApprovalSettings" * "folders/{folder}/accessApprovalSettings" * "organizations/{organization}/accessApprovalSettings" |
activeKeyVersion | string | The asymmetric crypto key version to use for signing approval requests. Empty active_key_version indicates that a Google-managed key should be used for signing. This property will be ignored if set by an ancestor of this resource, and new non-empty values may not be set. |
ancestorHasActiveKeyVersion | boolean | Output only. This field is read only (not settable via UpdateAccessApprovalSettings method). If the field is true, that indicates that an ancestor of this Project or Folder has set active_key_version (this field will always be unset for the organization since organizations do not have ancestors). |
approvalPolicy | object | Optional. Policy configuration for Access Approval that sets the operating mode. The available policies are Transparency, Streamlined Support, and Approval Required. (id: CustomerApprovalApprovalPolicy) |
effectiveApprovalPolicy | object | Output only. Effective policy applied for Access Approval, inclusive of inheritance. (id: CustomerApprovalApprovalPolicy) |
enrolledAncestor | boolean | Output only. This field is read only (not settable via UpdateAccessApprovalSettings method). If the field is true, that indicates that at least one service is enrolled for Access Approval in one or more ancestors of the Project or Folder (this field will always be unset for the organization since organizations do not have ancestors). |
enrolledServices | array | A list of Google Cloud Services for which the given resource has Access Approval enrolled. Access requests for the resource given by name against any of these services contained here will be required to have explicit approval. If name refers to an organization, enrollment can be done for individual services. If name refers to a folder or project, enrollment can only be done on an all or nothing basis. If a cloud_product is repeated in this list, the first entry will be honored and all following entries will be discarded. |
invalidKeyVersion | boolean | Output only. This field is read only (not settable via UpdateAccessApprovalSettings method). If the field is true, that indicates that there is some configuration issue with the active_key_version configured at this level in the resource hierarchy (e.g. it doesn't exist or the Access Approval service account doesn't have the correct permissions on it, etc.) This key version is not necessarily the effective key version at this level, as key versions are inherited top-down. |
notificationEmails | array | A list of email addresses to which notifications relating to approval requests should be sent. Notifications relating to a resource will be sent to all emails in the settings of ancestor resources of that resource. A maximum of 50 email addresses are allowed. |
notificationPubsubTopic | string | Optional. A pubsub topic that notifications relating to access approval are published to. Notifications include pre-approved accesses. |
preferNoBroadApprovalRequests | boolean | This field is used to set a preference for granularity of an access approval request. If true, Google personnel will be asked to send resource-level requests when possible. If false, Google personnel will be asked to send requests at the project level. |
preferredRequestExpirationDays | integer (int32) | Set the default access approval request expiration time. This value is able to be set directly by the customer at the time of approval, overriding this suggested value. We recommend setting this value to 30 days. |
requestScopeMaxWidthPreference | string | Optional. A setting that indicates the maximum scope of an Access Approval request: either organization, folder, or project. Google administrators will be asked to send requests no broader than the configured scope. |
requireCustomerVisibleJustification | boolean | Optional. When enabled, Google will only be able to send approval requests for access reasons with a customer accessible case ID in the reason detail. Also known as "Require customer initiated support case justification" |
| Name | Datatype | Description |
|---|---|---|
name | string | The resource name of the settings. Format is one of: * "projects/{project}/accessApprovalSettings" * "folders/{folder}/accessApprovalSettings" * "organizations/{organization}/accessApprovalSettings" |
activeKeyVersion | string | The asymmetric crypto key version to use for signing approval requests. Empty active_key_version indicates that a Google-managed key should be used for signing. This property will be ignored if set by an ancestor of this resource, and new non-empty values may not be set. |
ancestorHasActiveKeyVersion | boolean | Output only. This field is read only (not settable via UpdateAccessApprovalSettings method). If the field is true, that indicates that an ancestor of this Project or Folder has set active_key_version (this field will always be unset for the organization since organizations do not have ancestors). |
approvalPolicy | object | Optional. Policy configuration for Access Approval that sets the operating mode. The available policies are Transparency, Streamlined Support, and Approval Required. (id: CustomerApprovalApprovalPolicy) |
effectiveApprovalPolicy | object | Output only. Effective policy applied for Access Approval, inclusive of inheritance. (id: CustomerApprovalApprovalPolicy) |
enrolledAncestor | boolean | Output only. This field is read only (not settable via UpdateAccessApprovalSettings method). If the field is true, that indicates that at least one service is enrolled for Access Approval in one or more ancestors of the Project or Folder (this field will always be unset for the organization since organizations do not have ancestors). |
enrolledServices | array | A list of Google Cloud Services for which the given resource has Access Approval enrolled. Access requests for the resource given by name against any of these services contained here will be required to have explicit approval. If name refers to an organization, enrollment can be done for individual services. If name refers to a folder or project, enrollment can only be done on an all or nothing basis. If a cloud_product is repeated in this list, the first entry will be honored and all following entries will be discarded. |
invalidKeyVersion | boolean | Output only. This field is read only (not settable via UpdateAccessApprovalSettings method). If the field is true, that indicates that there is some configuration issue with the active_key_version configured at this level in the resource hierarchy (e.g. it doesn't exist or the Access Approval service account doesn't have the correct permissions on it, etc.) This key version is not necessarily the effective key version at this level, as key versions are inherited top-down. |
notificationEmails | array | A list of email addresses to which notifications relating to approval requests should be sent. Notifications relating to a resource will be sent to all emails in the settings of ancestor resources of that resource. A maximum of 50 email addresses are allowed. |
notificationPubsubTopic | string | Optional. A pubsub topic that notifications relating to access approval are published to. Notifications include pre-approved accesses. |
preferNoBroadApprovalRequests | boolean | This field is used to set a preference for granularity of an access approval request. If true, Google personnel will be asked to send resource-level requests when possible. If false, Google personnel will be asked to send requests at the project level. |
preferredRequestExpirationDays | integer (int32) | Set the default access approval request expiration time. This value is able to be set directly by the customer at the time of approval, overriding this suggested value. We recommend setting this value to 30 days. |
requestScopeMaxWidthPreference | string | Optional. A setting that indicates the maximum scope of an Access Approval request: either organization, folder, or project. Google administrators will be asked to send requests no broader than the configured scope. |
requireCustomerVisibleJustification | boolean | Optional. When enabled, Google will only be able to send approval requests for access reasons with a customer accessible case ID in the reason detail. Also known as "Require customer initiated support case justification" |
| Name | Datatype | Description |
|---|---|---|
name | string | The resource name of the settings. Format is one of: * "projects/{project}/accessApprovalSettings" * "folders/{folder}/accessApprovalSettings" * "organizations/{organization}/accessApprovalSettings" |
activeKeyVersion | string | The asymmetric crypto key version to use for signing approval requests. Empty active_key_version indicates that a Google-managed key should be used for signing. This property will be ignored if set by an ancestor of this resource, and new non-empty values may not be set. |
ancestorHasActiveKeyVersion | boolean | Output only. This field is read only (not settable via UpdateAccessApprovalSettings method). If the field is true, that indicates that an ancestor of this Project or Folder has set active_key_version (this field will always be unset for the organization since organizations do not have ancestors). |
approvalPolicy | object | Optional. Policy configuration for Access Approval that sets the operating mode. The available policies are Transparency, Streamlined Support, and Approval Required. (id: CustomerApprovalApprovalPolicy) |
effectiveApprovalPolicy | object | Output only. Effective policy applied for Access Approval, inclusive of inheritance. (id: CustomerApprovalApprovalPolicy) |
enrolledAncestor | boolean | Output only. This field is read only (not settable via UpdateAccessApprovalSettings method). If the field is true, that indicates that at least one service is enrolled for Access Approval in one or more ancestors of the Project or Folder (this field will always be unset for the organization since organizations do not have ancestors). |
enrolledServices | array | A list of Google Cloud Services for which the given resource has Access Approval enrolled. Access requests for the resource given by name against any of these services contained here will be required to have explicit approval. If name refers to an organization, enrollment can be done for individual services. If name refers to a folder or project, enrollment can only be done on an all or nothing basis. If a cloud_product is repeated in this list, the first entry will be honored and all following entries will be discarded. |
invalidKeyVersion | boolean | Output only. This field is read only (not settable via UpdateAccessApprovalSettings method). If the field is true, that indicates that there is some configuration issue with the active_key_version configured at this level in the resource hierarchy (e.g. it doesn't exist or the Access Approval service account doesn't have the correct permissions on it, etc.) This key version is not necessarily the effective key version at this level, as key versions are inherited top-down. |
notificationEmails | array | A list of email addresses to which notifications relating to approval requests should be sent. Notifications relating to a resource will be sent to all emails in the settings of ancestor resources of that resource. A maximum of 50 email addresses are allowed. |
notificationPubsubTopic | string | Optional. A pubsub topic that notifications relating to access approval are published to. Notifications include pre-approved accesses. |
preferNoBroadApprovalRequests | boolean | This field is used to set a preference for granularity of an access approval request. If true, Google personnel will be asked to send resource-level requests when possible. If false, Google personnel will be asked to send requests at the project level. |
preferredRequestExpirationDays | integer (int32) | Set the default access approval request expiration time. This value is able to be set directly by the customer at the time of approval, overriding this suggested value. We recommend setting this value to 30 days. |
requestScopeMaxWidthPreference | string | Optional. A setting that indicates the maximum scope of an Access Approval request: either organization, folder, or project. Google administrators will be asked to send requests no broader than the configured scope. |
requireCustomerVisibleJustification | boolean | Optional. When enabled, Google will only be able to send approval requests for access reasons with a customer accessible case ID in the reason detail. Also known as "Require customer initiated support case justification" |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
organizations_get_access_approval_settings | select | organizationsId | Gets the Access Approval settings associated with a project, folder, or organization. | |
projects_get_access_approval_settings | select | projectsId | Gets the Access Approval settings associated with a project, folder, or organization. | |
folders_get_access_approval_settings | select | foldersId | Gets the Access Approval settings associated with a project, folder, or organization. | |
organizations_update_access_approval_settings | update | organizationsId | updateMask | Updates the settings associated with a project, folder, or organization. Settings to update are determined by the value of field_mask. |
projects_update_access_approval_settings | update | projectsId | updateMask | Updates the settings associated with a project, folder, or organization. Settings to update are determined by the value of field_mask. |
folders_update_access_approval_settings | update | foldersId | updateMask | Updates the settings associated with a project, folder, or organization. Settings to update are determined by the value of field_mask. |
organizations_delete_access_approval_settings | delete | organizationsId | Deletes the settings associated with a project, folder, or organization. This will have the effect of disabling Access Approval for the resource. Access Approval may remain active based on parent resource settings. To confirm the effective settings, call GetAccessApprovalSettings and verify effective setting is disabled. | |
projects_delete_access_approval_settings | delete | projectsId | Deletes the settings associated with a project, folder, or organization. This will have the effect of disabling Access Approval for the resource. Access Approval may remain active based on parent resource settings. To confirm the effective settings, call GetAccessApprovalSettings and verify effective setting is disabled. | |
folders_delete_access_approval_settings | delete | foldersId | Deletes the settings associated with a project, folder, or organization. This will have the effect of disabling Access Approval for the resource. Access Approval may remain active based on parent resource settings. To confirm the effective settings, call GetAccessApprovalSettings and verify effective setting is disabled. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
foldersId | string | |
organizationsId | string | |
projectsId | string | |
updateMask | string (google-fieldmask) |
SELECT examples
- organizations_get_access_approval_settings
- projects_get_access_approval_settings
- folders_get_access_approval_settings
Gets the Access Approval settings associated with a project, folder, or organization.
SELECT
name,
activeKeyVersion,
ancestorHasActiveKeyVersion,
approvalPolicy,
effectiveApprovalPolicy,
enrolledAncestor,
enrolledServices,
invalidKeyVersion,
notificationEmails,
notificationPubsubTopic,
preferNoBroadApprovalRequests,
preferredRequestExpirationDays,
requestScopeMaxWidthPreference,
requireCustomerVisibleJustification
FROM google.accessapproval.access_approval_settings
WHERE organizationsId = '{{ organizationsId }}' -- required
;
Gets the Access Approval settings associated with a project, folder, or organization.
SELECT
name,
activeKeyVersion,
ancestorHasActiveKeyVersion,
approvalPolicy,
effectiveApprovalPolicy,
enrolledAncestor,
enrolledServices,
invalidKeyVersion,
notificationEmails,
notificationPubsubTopic,
preferNoBroadApprovalRequests,
preferredRequestExpirationDays,
requestScopeMaxWidthPreference,
requireCustomerVisibleJustification
FROM google.accessapproval.access_approval_settings
WHERE projectsId = '{{ projectsId }}' -- required
;
Gets the Access Approval settings associated with a project, folder, or organization.
SELECT
name,
activeKeyVersion,
ancestorHasActiveKeyVersion,
approvalPolicy,
effectiveApprovalPolicy,
enrolledAncestor,
enrolledServices,
invalidKeyVersion,
notificationEmails,
notificationPubsubTopic,
preferNoBroadApprovalRequests,
preferredRequestExpirationDays,
requestScopeMaxWidthPreference,
requireCustomerVisibleJustification
FROM google.accessapproval.access_approval_settings
WHERE foldersId = '{{ foldersId }}' -- required
;
UPDATE examples
- organizations_update_access_approval_settings
- projects_update_access_approval_settings
- folders_update_access_approval_settings
Updates the settings associated with a project, folder, or organization. Settings to update are determined by the value of field_mask.
UPDATE google.accessapproval.access_approval_settings
SET
data__activeKeyVersion = '{{ activeKeyVersion }}',
data__preferredRequestExpirationDays = {{ preferredRequestExpirationDays }},
data__preferNoBroadApprovalRequests = {{ preferNoBroadApprovalRequests }},
data__enrolledServices = '{{ enrolledServices }}',
data__notificationEmails = '{{ notificationEmails }}',
data__requireCustomerVisibleJustification = {{ requireCustomerVisibleJustification }},
data__approvalPolicy = '{{ approvalPolicy }}',
data__notificationPubsubTopic = '{{ notificationPubsubTopic }}',
data__requestScopeMaxWidthPreference = '{{ requestScopeMaxWidthPreference }}',
data__name = '{{ name }}'
WHERE
organizationsId = '{{ organizationsId }}' --required
AND updateMask = '{{ updateMask}}'
RETURNING
name,
activeKeyVersion,
ancestorHasActiveKeyVersion,
approvalPolicy,
effectiveApprovalPolicy,
enrolledAncestor,
enrolledServices,
invalidKeyVersion,
notificationEmails,
notificationPubsubTopic,
preferNoBroadApprovalRequests,
preferredRequestExpirationDays,
requestScopeMaxWidthPreference,
requireCustomerVisibleJustification;
Updates the settings associated with a project, folder, or organization. Settings to update are determined by the value of field_mask.
UPDATE google.accessapproval.access_approval_settings
SET
data__activeKeyVersion = '{{ activeKeyVersion }}',
data__preferredRequestExpirationDays = {{ preferredRequestExpirationDays }},
data__preferNoBroadApprovalRequests = {{ preferNoBroadApprovalRequests }},
data__enrolledServices = '{{ enrolledServices }}',
data__notificationEmails = '{{ notificationEmails }}',
data__requireCustomerVisibleJustification = {{ requireCustomerVisibleJustification }},
data__approvalPolicy = '{{ approvalPolicy }}',
data__notificationPubsubTopic = '{{ notificationPubsubTopic }}',
data__requestScopeMaxWidthPreference = '{{ requestScopeMaxWidthPreference }}',
data__name = '{{ name }}'
WHERE
projectsId = '{{ projectsId }}' --required
AND updateMask = '{{ updateMask}}'
RETURNING
name,
activeKeyVersion,
ancestorHasActiveKeyVersion,
approvalPolicy,
effectiveApprovalPolicy,
enrolledAncestor,
enrolledServices,
invalidKeyVersion,
notificationEmails,
notificationPubsubTopic,
preferNoBroadApprovalRequests,
preferredRequestExpirationDays,
requestScopeMaxWidthPreference,
requireCustomerVisibleJustification;
Updates the settings associated with a project, folder, or organization. Settings to update are determined by the value of field_mask.
UPDATE google.accessapproval.access_approval_settings
SET
data__activeKeyVersion = '{{ activeKeyVersion }}',
data__preferredRequestExpirationDays = {{ preferredRequestExpirationDays }},
data__preferNoBroadApprovalRequests = {{ preferNoBroadApprovalRequests }},
data__enrolledServices = '{{ enrolledServices }}',
data__notificationEmails = '{{ notificationEmails }}',
data__requireCustomerVisibleJustification = {{ requireCustomerVisibleJustification }},
data__approvalPolicy = '{{ approvalPolicy }}',
data__notificationPubsubTopic = '{{ notificationPubsubTopic }}',
data__requestScopeMaxWidthPreference = '{{ requestScopeMaxWidthPreference }}',
data__name = '{{ name }}'
WHERE
foldersId = '{{ foldersId }}' --required
AND updateMask = '{{ updateMask}}'
RETURNING
name,
activeKeyVersion,
ancestorHasActiveKeyVersion,
approvalPolicy,
effectiveApprovalPolicy,
enrolledAncestor,
enrolledServices,
invalidKeyVersion,
notificationEmails,
notificationPubsubTopic,
preferNoBroadApprovalRequests,
preferredRequestExpirationDays,
requestScopeMaxWidthPreference,
requireCustomerVisibleJustification;
DELETE examples
- organizations_delete_access_approval_settings
- projects_delete_access_approval_settings
- folders_delete_access_approval_settings
Deletes the settings associated with a project, folder, or organization. This will have the effect of disabling Access Approval for the resource. Access Approval may remain active based on parent resource settings. To confirm the effective settings, call GetAccessApprovalSettings and verify effective setting is disabled.
DELETE FROM google.accessapproval.access_approval_settings
WHERE organizationsId = '{{ organizationsId }}' --required
;
Deletes the settings associated with a project, folder, or organization. This will have the effect of disabling Access Approval for the resource. Access Approval may remain active based on parent resource settings. To confirm the effective settings, call GetAccessApprovalSettings and verify effective setting is disabled.
DELETE FROM google.accessapproval.access_approval_settings
WHERE projectsId = '{{ projectsId }}' --required
;
Deletes the settings associated with a project, folder, or organization. This will have the effect of disabling Access Approval for the resource. Access Approval may remain active based on parent resource settings. To confirm the effective settings, call GetAccessApprovalSettings and verify effective setting is disabled.
DELETE FROM google.accessapproval.access_approval_settings
WHERE foldersId = '{{ foldersId }}' --required
;