gcp_user_access_bindings
Creates, updates, deletes, gets or lists a gcp_user_access_bindings resource.
Overview
| Name | gcp_user_access_bindings |
| Type | Resource |
| Id | google.accesscontextmanager.gcp_user_access_bindings |
Fields
The following fields are returned by SELECT queries:
- get
- list
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N" |
accessLevels | array | Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted" |
dryRunAccessLevels | array | Optional. Dry run access level that will be evaluated but will not be enforced. The access denial based on dry run policy will be logged. Only one access level is supported, not multiple. This list must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted" |
groupKey | string | Optional. Immutable. Google Group id whose users are subject to this binding's restrictions. See "id" in the [Google Workspace Directory API's Group Resource] (https://developers.google.com/admin-sdk/directory/v1/reference/groups#resource). If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht" |
restrictedClientApplications | array | Optional. A list of applications that are subject to this binding's restrictions. If the list is empty, the binding restrictions will universally apply to all applications. |
scopedAccessSettings | array | Optional. A list of scoped access settings that set this binding's restrictions on a subset of applications. This field cannot be set if restricted_client_applications is set. |
sessionSettings | object | Optional. The Google Cloud session length (GCSL) policy for the group key. (id: SessionSettings) |
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N" |
accessLevels | array | Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted" |
dryRunAccessLevels | array | Optional. Dry run access level that will be evaluated but will not be enforced. The access denial based on dry run policy will be logged. Only one access level is supported, not multiple. This list must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted" |
groupKey | string | Optional. Immutable. Google Group id whose users are subject to this binding's restrictions. See "id" in the [Google Workspace Directory API's Group Resource] (https://developers.google.com/admin-sdk/directory/v1/reference/groups#resource). If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht" |
restrictedClientApplications | array | Optional. A list of applications that are subject to this binding's restrictions. If the list is empty, the binding restrictions will universally apply to all applications. |
scopedAccessSettings | array | Optional. A list of scoped access settings that set this binding's restrictions on a subset of applications. This field cannot be set if restricted_client_applications is set. |
sessionSettings | object | Optional. The Google Cloud session length (GCSL) policy for the group key. (id: SessionSettings) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | organizationsId, gcpUserAccessBindingsId | Gets the GcpUserAccessBinding with the given name. | |
list | select | organizationsId | pageSize, pageToken | Lists all GcpUserAccessBindings for a Google Cloud organization. |
create | insert | organizationsId | Creates a GcpUserAccessBinding. If the client specifies a name, the server ignores it. Fails if a resource already exists with the same group_key. Completion of this long-running operation does not necessarily signify that the new binding is deployed onto all affected users, which may take more time. | |
patch | update | organizationsId, gcpUserAccessBindingsId | updateMask, append | Updates a GcpUserAccessBinding. Completion of this long-running operation does not necessarily signify that the changed binding is deployed onto all affected users, which may take more time. |
delete | delete | organizationsId, gcpUserAccessBindingsId | Deletes a GcpUserAccessBinding. Completion of this long-running operation does not necessarily signify that the binding deletion is deployed onto all affected users, which may take more time. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
gcpUserAccessBindingsId | string | |
organizationsId | string | |
append | boolean | |
pageSize | integer (int32) | |
pageToken | string | |
updateMask | string (google-fieldmask) |
SELECT examples
- get
- list
Gets the GcpUserAccessBinding with the given name.
SELECT
name,
accessLevels,
dryRunAccessLevels,
groupKey,
restrictedClientApplications,
scopedAccessSettings,
sessionSettings
FROM google.accesscontextmanager.gcp_user_access_bindings
WHERE organizationsId = '{{ organizationsId }}' -- required
AND gcpUserAccessBindingsId = '{{ gcpUserAccessBindingsId }}' -- required;
Lists all GcpUserAccessBindings for a Google Cloud organization.
SELECT
name,
accessLevels,
dryRunAccessLevels,
groupKey,
restrictedClientApplications,
scopedAccessSettings,
sessionSettings
FROM google.accesscontextmanager.gcp_user_access_bindings
WHERE organizationsId = '{{ organizationsId }}' -- required
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}';
INSERT examples
- create
- Manifest
Creates a GcpUserAccessBinding. If the client specifies a name, the server ignores it. Fails if a resource already exists with the same group_key. Completion of this long-running operation does not necessarily signify that the new binding is deployed onto all affected users, which may take more time.
INSERT INTO google.accesscontextmanager.gcp_user_access_bindings (
data__name,
data__groupKey,
data__accessLevels,
data__dryRunAccessLevels,
data__sessionSettings,
data__restrictedClientApplications,
data__scopedAccessSettings,
organizationsId
)
SELECT
'{{ name }}',
'{{ groupKey }}',
'{{ accessLevels }}',
'{{ dryRunAccessLevels }}',
'{{ sessionSettings }}',
'{{ restrictedClientApplications }}',
'{{ scopedAccessSettings }}',
'{{ organizationsId }}'
RETURNING
name,
done,
error,
metadata,
response
;
# Description fields are for documentation purposes
- name: gcp_user_access_bindings
props:
- name: organizationsId
value: string
description: Required parameter for the gcp_user_access_bindings resource.
- name: name
value: string
description: >
Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by [RFC 3986 Section 2.3](https://tools.ietf.org/html/rfc3986#section-2.3)). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
- name: groupKey
value: string
description: >
Optional. Immutable. Google Group id whose users are subject to this binding's restrictions. See "id" in the [Google Workspace Directory API's Group Resource] (https://developers.google.com/admin-sdk/directory/v1/reference/groups#resource). If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
- name: accessLevels
value: array
description: >
Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- name: dryRunAccessLevels
value: array
description: >
Optional. Dry run access level that will be evaluated but will not be enforced. The access denial based on dry run policy will be logged. Only one access level is supported, not multiple. This list must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
- name: sessionSettings
value: object
description: >
Optional. The Google Cloud session length (GCSL) policy for the group key.
- name: restrictedClientApplications
value: array
description: >
Optional. A list of applications that are subject to this binding's restrictions. If the list is empty, the binding restrictions will universally apply to all applications.
- name: scopedAccessSettings
value: array
description: >
Optional. A list of scoped access settings that set this binding's restrictions on a subset of applications. This field cannot be set if restricted_client_applications is set.
UPDATE examples
- patch
Updates a GcpUserAccessBinding. Completion of this long-running operation does not necessarily signify that the changed binding is deployed onto all affected users, which may take more time.
UPDATE google.accesscontextmanager.gcp_user_access_bindings
SET
data__name = '{{ name }}',
data__groupKey = '{{ groupKey }}',
data__accessLevels = '{{ accessLevels }}',
data__dryRunAccessLevels = '{{ dryRunAccessLevels }}',
data__sessionSettings = '{{ sessionSettings }}',
data__restrictedClientApplications = '{{ restrictedClientApplications }}',
data__scopedAccessSettings = '{{ scopedAccessSettings }}'
WHERE
organizationsId = '{{ organizationsId }}' --required
AND gcpUserAccessBindingsId = '{{ gcpUserAccessBindingsId }}' --required
AND updateMask = '{{ updateMask}}'
AND append = {{ append}}
RETURNING
name,
done,
error,
metadata,
response;
DELETE examples
- delete
Deletes a GcpUserAccessBinding. Completion of this long-running operation does not necessarily signify that the binding deletion is deployed onto all affected users, which may take more time.
DELETE FROM google.accesscontextmanager.gcp_user_access_bindings
WHERE organizationsId = '{{ organizationsId }}' --required
AND gcpUserAccessBindingsId = '{{ gcpUserAccessBindingsId }}' --required;