lib/google/cloud/container_analysis/v1/doc/google/iam/v1/policy.rb in google-cloud-container_analysis-0.3.1 vs lib/google/cloud/container_analysis/v1/doc/google/iam/v1/policy.rb in google-cloud-container_analysis-0.3.2

@@ -18,31 +18,40 @@
     module V1
       # Defines an Identity and Access Management (IAM) policy. It is used to
       # specify access control policies for Cloud Platform resources.
       #
       #
-      # A `Policy` consists of a list of `bindings`. A `binding` binds a list of
-      # `members` to a `role`, where the members can be user accounts, Google groups,
-      # Google domains, and service accounts. A `role` is a named list of permissions
-      # defined by IAM.
+      # A `Policy` is a collection of `bindings`. A `binding` binds one or more
+      # `members` to a single `role`. Members can be user accounts, service accounts,
+      # Google groups, and domains (such as G Suite). A `role` is a named list of
+      # permissions (defined by IAM or configured by users). A `binding` can
+      # optionally specify a `condition`, which is a logic expression that further
+      # constrains the role binding based on attributes about the request and/or
+      # target resource.
       #
       # **JSON Example**
       #
       #     {
       #       "bindings": [
       #         {
-      #           "role": "roles/owner",
+      #           "role": "roles/resourcemanager.organizationAdmin",
       #           "members": [
       #             "user:mike@example.com",
       #             "group:admins@example.com",
       #             "domain:google.com",
-      #             "serviceAccount:my-other-app@appspot.gserviceaccount.com"
+      #             "serviceAccount:my-project-id@appspot.gserviceaccount.com"
       #           ]
       #         },
       #         {
-      #           "role": "roles/viewer",
-      #           "members": ["user:sean@example.com"]
+      #           "role": "roles/resourcemanager.organizationViewer",
+      #           "members": ["user:eve@example.com"],
+      #           "condition": {
+      #             "title": "expirable access",
+      #             "description": "Does not grant access after Sep 2020",
+      #             "expression": "request.time <
+      #             timestamp('2020-10-01T00:00:00.000Z')",
+      #           }
       #         }
       #       ]
       #     }
       #
       # **YAML Example**
@@ -50,32 +59,41 @@
       #     bindings:
       # * members:
       #   * user:mike@example.com
       #     * group:admins@example.com
       #       * domain:google.com
-      #       * serviceAccount:my-other-app@appspot.gserviceaccount.com
-      #         role: roles/owner
+      #       * serviceAccount:my-project-id@appspot.gserviceaccount.com
+      #         role: roles/resourcemanager.organizationAdmin
       #       * members:
-      #       * user:sean@example.com
-      #         role: roles/viewer
+      #       * user:eve@example.com
+      #         role: roles/resourcemanager.organizationViewer
+      #         condition:
+      #         title: expirable access
+      #         description: Does not grant access after Sep 2020
+      #         expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
       #
-      #
-      #     For a description of IAM and its features, see the
-      #     [IAM developer's guide](https://cloud.google.com/iam/docs).
+      #       For a description of IAM and its features, see the
+      #       [IAM developer's guide](https://cloud.google.com/iam/docs).
       # @!attribute [rw] version
       #   @return [Integer]
       #     Specifies the format of the policy.
       #
       #     Valid values are 0, 1, and 3. Requests specifying an invalid value will be
       #     rejected.
       #
-      #     Policies with any conditional bindings must specify version 3. Policies
-      #     without any conditional bindings may specify any valid value or leave the
-      #     field unset.
+      #     Operations affecting conditional bindings must specify version 3. This can
+      #     be either setting a conditional policy, modifying a conditional binding,
+      #     or removing a conditional binding from the stored conditional policy.
+      #     Operations on non-conditional policies may specify any valid value or
+      #     leave the field unset.
+      #
+      #     If no etag is provided in the call to `setIamPolicy`, any version
+      #     compliance checks on the incoming and/or stored policy is skipped.
       # @!attribute [rw] bindings
       #   @return [Array<Google::Iam::V1::Binding>]
-      #     Associates a list of `members` to a `role`.
+      #     Associates a list of `members` to a `role`. Optionally may specify a
+      #     `condition` that determines when binding is in effect.
       #     `bindings` with no members will result in an error.
       # @!attribute [rw] etag
       #   @return [String]
       #     `etag` is used for optimistic concurrency control as a way to help
       #     prevent simultaneous updates of a policy from overwriting each other.
@@ -84,10 +102,12 @@
       #     conditions: An `etag` is returned in the response to `getIamPolicy`, and
       #     systems are expected to put that etag in the request to `setIamPolicy` to
       #     ensure that their change will be applied to the same version of the policy.
       #
       #     If no `etag` is provided in the call to `setIamPolicy`, then the existing
-      #     policy is overwritten.
+      #     policy is overwritten. Due to blind-set semantics of an etag-less policy,
+      #     'setIamPolicy' will not fail even if either of incoming or stored policy
+      #     does not meet the version requirements.
       class Policy; end
 
       # Associates `members` with a `role`.
       # @!attribute [rw] role
       #   @return [String]
\ No newline at end of file