Updates the specified Policy
on the resource. Creates a new Policy
for that Constraint
on the resource if one does not exist. Not supplying an etag
on the request Policy
results in an unconditional write of the Policy
.
Scopes
You will need authorization for the https://www.googleapis.com/auth/cloud-platform scope to make a valid call.
If unset, the scope for this method defaults to https://www.googleapis.com/auth/cloud-platform.
You can set the scope for this method like this: cloudresourcemanager1 --scope <scope> folders set-org-policy ...
Required Scalar Argument
- <resource> (string)
- Resource name of the resource to attach the
Policy
.
- Resource name of the resource to attach the
Required Request Value
The request value is a data-structure with various fields. Each field may be a simple scalar or another data-structure. In the latter case it is advised to set the field-cursor to the data-structure's field to specify values more concisely.
For example, a structure like this:
SetOrgPolicyRequest:
policy:
boolean-policy:
enforced: boolean
constraint: string
etag: string
list-policy:
all-values: string
allowed-values: [string]
denied-values: [string]
inherit-from-parent: boolean
suggested-value: string
update-time: string
version: integer
can be set completely with the following arguments which are assumed to be executed in the given order. Note how the cursor position is adjusted to the respective structures, allowing simple field names to be used most of the time.
-
-r .policy.boolean-policy enforced=true
- If
true
, then thePolicy
is enforced. Iffalse
, then any configuration is acceptable. Suppose you have aConstraint
constraints/compute.disableSerialPortAccess
withconstraint_default
set toALLOW
. APolicy
for thatConstraint
exhibits the following behavior: - If thePolicy
at this resource has enforced set tofalse
, serial port connection attempts will be allowed. - If thePolicy
at this resource has enforced set totrue
, serial port connection attempts will be refused. - If thePolicy
at this resource isRestoreDefault
, serial port connection attempts will be allowed. - If noPolicy
is set at this resource or anywhere higher in the resource hierarchy, serial port connection attempts will be allowed. - If noPolicy
is set at this resource, but one exists higher in the resource hierarchy, the behavior is as if thePolicy
were set at this resource. The following examples demonstrate the different possible layerings: Example 1 (nearestConstraint
wins):organizations/foo
has aPolicy
with: {enforced: false}projects/bar
has noPolicy
set. The constraint atprojects/bar
andorganizations/foo
will not be enforced. Example 2 (enforcement gets replaced):organizations/foo
has aPolicy
with: {enforced: false}projects/bar
has aPolicy
with: {enforced: true} The constraint atorganizations/foo
is not enforced. The constraint atprojects/bar
is enforced. Example 3 (RestoreDefault):organizations/foo
has aPolicy
with: {enforced: true}projects/bar
has aPolicy
with: {RestoreDefault: {}} The constraint atorganizations/foo
is enforced. The constraint atprojects/bar
is not enforced, becauseconstraint_default
for theConstraint
isALLOW
.
- If
-
.. constraint=amet.
- The name of the
Constraint
thePolicy
is configuring, for example,constraints/serviceuser.services
. A list of available constraints is available. Immutable after creation.
- The name of the
etag=duo
- An opaque tag indicating the current version of the
Policy
, used for concurrency control. When thePolicy
is returned from either aGetPolicy
or aListOrgPolicy
request, thisetag
indicates the version of the currentPolicy
to use when executing a read-modify-write loop. When thePolicy
is returned from aGetEffectivePolicy
request, theetag
will be unset. When thePolicy
is used in aSetOrgPolicy
method, use theetag
value that was returned from aGetOrgPolicy
request as part of a read-modify-write loop for concurrency control. Not setting theetag
in aSetOrgPolicy
request will result in an unconditional write of thePolicy
.
- An opaque tag indicating the current version of the
list-policy all-values=ipsum
- The policy all_values state.
allowed-values=gubergren
- List of values allowed at this resource. Can only be set if
all_values
is set toALL_VALUES_UNSPECIFIED
. - Each invocation of this argument appends the given value to the array.
- List of values allowed at this resource. Can only be set if
denied-values=lorem
- List of values denied at this resource. Can only be set if
all_values
is set toALL_VALUES_UNSPECIFIED
. - Each invocation of this argument appends the given value to the array.
- List of values denied at this resource. Can only be set if
inherit-from-parent=false
- Determines the inheritance behavior for this
Policy
. By default, aListPolicy
set at a resource supersedes anyPolicy
set anywhere up the resource hierarchy. However, ifinherit_from_parent
is set totrue
, then the values from the effectivePolicy
of the parent resource are inherited, meaning the values set in thisPolicy
are added to the values inherited up the hierarchy. SettingPolicy
hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set aPolicy
withallowed_values
set that inherits aPolicy
withdenied_values
set. In this case, the values that are allowed must be inallowed_values
and not present indenied_values
. For example, suppose you have aConstraint
constraints/serviceuser.services
, which has aconstraint_type
oflist_constraint
, and withconstraint_default
set toALLOW
. Suppose that at the Organization level, aPolicy
is applied that restricts the allowed API activations to {E1
,E2
}. Then, if aPolicy
is applied to a project below the Organization that hasinherit_from_parent
set tofalse
and field all_values set to DENY, then an attempt to activate any API will be denied. The following examples demonstrate different possible layerings forprojects/bar
parented byorganizations/foo
: Example 1 (no inherited values):organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
hasinherit_from_parent
false
and values: {allowed_values: "E3" allowed_values: "E4"} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
areE3
, andE4
. Example 2 (inherited values):organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
has aPolicy
with values: {value: "E3" value: "E4" inherit_from_parent: true} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
areE1
,E2
,E3
, andE4
. Example 3 (inheriting both allowed and denied values):organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values: "E2"}projects/bar
has aPolicy
with: {denied_values: "E1"} The accepted values atorganizations/foo
areE1
,E2
. The value accepted atprojects/bar
isE2
. Example 4 (RestoreDefault):organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
has aPolicy
with values: {RestoreDefault: {}} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
are either all or none depending on the value ofconstraint_default
(ifALLOW
, all; ifDENY
, none). Example 5 (no policy inherits parent policy):organizations/foo
has noPolicy
set.projects/bar
has noPolicy
set. The accepted values at both levels are either all or none depending on the value ofconstraint_default
(ifALLOW
, all; ifDENY
, none). Example 6 (ListConstraint allowing all):organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values: "E2"}projects/bar
has aPolicy
with: {all: ALLOW} The accepted values atorganizations/foo
areE1
, E2. Any value is accepted at
projects/bar. Example 7 (ListConstraint allowing none):
organizations/foohas a
Policywith values: {allowed_values: "E1" allowed_values: "E2"}
projects/barhas a
Policywith: {all: DENY} The accepted values at
organizations/fooare
E1, E2
. No value is accepted atprojects/bar
. Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3},organizations/foo
has aPolicy
with values: {allowed_values: "under:organizations/O1"}projects/bar
has aPolicy
with: {allowed_values: "under:projects/P3"} {denied_values: "under:folders/F2"} The accepted values atorganizations/foo
areorganizations/O1
,folders/F1
,folders/F2
,projects/P1
,projects/P2
,projects/P3
. The accepted values atprojects/bar
areorganizations/O1
,folders/F1
,projects/P1
.
- Determines the inheritance behavior for this
-
suggested-value=dolor
- Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this
Policy
. Ifsuggested_value
is not set, it will inherit the value specified higher in the hierarchy, unlessinherit_from_parent
isfalse
.
- Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this
-
.. update-time=ea
- The time stamp the
Policy
was previously updated. This is set by the server, not specified by the caller, and represents the last time a call toSetOrgPolicy
was made for thatPolicy
. Any value set by the client will be ignored.
- The time stamp the
version=46
- Version of the
Policy
. Default version is 0;
- Version of the
About Cursors
The cursor position is key to comfortably set complex nested structures. The following rules apply:
- The cursor position is always set relative to the current one, unless the field name starts with the
.
character. Fields can be nested such as in-r f.s.o
. - The cursor position is set relative to the top-level structure if it starts with
.
, e.g.-r .s.s
- You can also set nested fields without setting the cursor explicitly. For example, to set a value relative to the current cursor position, you would specify
-r struct.sub_struct=bar
. - You can move the cursor one level up by using
..
. Each additional.
moves it up one additional level. E.g....
would go three levels up.
Optional Output Flags
The method's return value a JSON encoded structure, which will be written to standard output by default.
- -o out
- out specifies the destination to which to write the server's result to.
It will be a JSON-encoded structure.
The destination may be
-
to indicate standard output, or a filepath that is to contain the received bytes. If unset, it defaults to standard output.
- out specifies the destination to which to write the server's result to.
It will be a JSON-encoded structure.
The destination may be
Optional General Properties
The following properties can configure any call, and are not specific to this method.
-
-p $-xgafv=string
- V1 error format.
-
-p access-token=string
- OAuth access token.
-
-p alt=string
- Data format for response.
-
-p callback=string
- JSONP
-
-p fields=string
- Selector specifying which fields to include in a partial response.
-
-p key=string
- API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
-
-p oauth-token=string
- OAuth 2.0 token for the current user.
-
-p pretty-print=boolean
- Returns response with indentations and line breaks.
-
-p quota-user=string
- Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
-
-p upload-type=string
- Legacy upload protocol for media (e.g. "media", "multipart").
-
-p upload-protocol=string
- Upload protocol for media (e.g. "raw", "multipart").