Cloud Resource Manager API . folders

Instance Methods

clearOrgPolicy(resource=*, body=*, x__xgafv=None)

Clears a `Policy` from a resource.

getEffectiveOrgPolicy(resource=*, body=*, x__xgafv=None)

Gets the effective `Policy` on a resource. This is the result of merging

getOrgPolicy(resource=*, body=*, x__xgafv=None)

Gets a `Policy` on a resource.

listAvailableOrgPolicyConstraints(resource=*, body=*, x__xgafv=None)

Lists `Constraints` that could be applied on the specified resource.

listAvailableOrgPolicyConstraints_next(previous_request=*, previous_response=*)

Retrieves the next page of results.

listOrgPolicies(resource=*, body=*, x__xgafv=None)

Lists all the `Policies` set for a particular resource.

listOrgPolicies_next(previous_request=*, previous_response=*)

Retrieves the next page of results.

setOrgPolicy(resource=*, body=*, x__xgafv=None)

Updates the specified `Policy` on the resource. Creates a new `Policy` for

Method Details

clearOrgPolicy(resource=*, body=*, x__xgafv=None)
Clears a `Policy` from a resource.

Args:
  resource: string, Name of the resource for the `Policy` to clear. (required)
  body: object, The request body. (required)
    The object takes the form of:

{ # The request sent to the ClearOrgPolicy method.
    "etag": "A String", # The current version, for concurrency control. Not sending an `etag`
        # will cause the `Policy` to be cleared blindly.
    "constraint": "A String", # Name of the `Constraint` of the `Policy` to clear.
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A generic empty message that you can re-use to avoid defining duplicated
      # empty messages in your APIs. A typical example is to use it as the request
      # or the response type of an API method. For instance:
      #
      #     service Foo {
      #       rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
      #     }
      #
      # The JSON representation for `Empty` is empty JSON object `{}`.
  }
getEffectiveOrgPolicy(resource=*, body=*, x__xgafv=None)
Gets the effective `Policy` on a resource. This is the result of merging
`Policies` in the resource hierarchy. The returned `Policy` will not have
an `etag`set because it is a computed `Policy` across multiple resources.
Subtrees of Resource Manager resource hierarchy with 'under:' prefix will
not be expanded.

Args:
  resource: string, The name of the resource to start computing the effective `Policy`. (required)
  body: object, The request body. (required)
    The object takes the form of:

{ # The request sent to the GetEffectiveOrgPolicy method.
    "constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`.
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
      # for configurations of Cloud Platform resources.
    "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
        # server, not specified by the caller, and represents the last time a call to
        # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
        # be ignored.
    "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
        # `constraints/serviceuser.services`.
        #
        # Immutable after creation.
    "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
        # `Constraint` type.
        # `constraint_default` enforcement behavior of the specific `Constraint` at
        # this resource.
        #
        # Suppose that `constraint_default` is set to `ALLOW` for the
        # `Constraint` `constraints/serviceuser.services`. Suppose that organization
        # foo.com sets a `Policy` at their Organization resource node that restricts
        # the allowed service activations to deny all service activations. They
        # could then set a `Policy` with the `policy_type` `restore_default` on
        # several experimental projects, restoring the `constraint_default`
        # enforcement of the `Constraint` for only those projects, allowing those
        # projects to have all services activated.
    },
    "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
        # resource.
        #
        # `ListPolicy` can define specific values and subtrees of Cloud Resource
        # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
        # are allowed or denied by setting the `allowed_values` and `denied_values`
        # fields. This is achieved by using the `under:` and optional `is:` prefixes.
        # The `under:` prefix is used to denote resource subtree values.
        # The `is:` prefix is used to denote specific values, and is required only
        # if the value contains a ":". Values prefixed with "is:" are treated the
        # same as values with no prefix.
        # Ancestry subtrees must be in one of the following formats:
        #     - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
        #     - "folders/<folder-id>", e.g. "folders/1234"
        #     - "organizations/<organization-id>", e.g. "organizations/1234"
        # The `supports_under` field of the associated `Constraint`  defines whether
        # ancestry prefixes can be used. You can set `allowed_values` and
        # `denied_values` in the same `Policy` if `all_values` is
        # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
        # values. If `all_values` is set to either `ALLOW` or `DENY`,
        # `allowed_values` and `denied_values` must be unset.
      "allValues": "A String", # The policy all_values state.
      "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
          # is set to `ALL_VALUES_UNSPECIFIED`.
        "A String",
      ],
      "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
          #
          # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
          # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
          # set to `true`, then the values from the effective `Policy` of the parent
          # resource are inherited, meaning the values set in this `Policy` are
          # added to the values inherited up the hierarchy.
          #
          # Setting `Policy` hierarchies that inherit both allowed values and denied
          # values isn't recommended in most circumstances to keep the configuration
          # simple and understandable. However, it is possible to set a `Policy` with
          # `allowed_values` set that inherits a `Policy` with `denied_values` set.
          # In this case, the values that are allowed must be in `allowed_values` and
          # not present in `denied_values`.
          #
          # For example, suppose you have a `Constraint`
          # `constraints/serviceuser.services`, which has a `constraint_type` of
          # `list_constraint`, and with `constraint_default` set to `ALLOW`.
          # Suppose that at the Organization level, a `Policy` is applied that
          # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
          # `Policy` is applied to a project below the Organization that has
          # `inherit_from_parent` set to `false` and field all_values set to DENY,
          # then an attempt to activate any API will be denied.
          #
          # The following examples demonstrate different possible layerings for
          # `projects/bar` parented by `organizations/foo`:
          #
          # Example 1 (no inherited values):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values:"E2"}
          #   `projects/bar` has `inherit_from_parent` `false` and values:
          #     {allowed_values: "E3" allowed_values: "E4"}
          # The accepted values at `organizations/foo` are `E1`, `E2`.
          # The accepted values at `projects/bar` are `E3`, and `E4`.
          #
          # Example 2 (inherited values):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values:"E2"}
          #   `projects/bar` has a `Policy` with values:
          #     {value: "E3" value: "E4" inherit_from_parent: true}
          # The accepted values at `organizations/foo` are `E1`, `E2`.
          # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
          #
          # Example 3 (inheriting both allowed and denied values):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values: "E2"}
          #   `projects/bar` has a `Policy` with:
          #     {denied_values: "E1"}
          # The accepted values at `organizations/foo` are `E1`, `E2`.
          # The value accepted at `projects/bar` is `E2`.
          #
          # Example 4 (RestoreDefault):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values:"E2"}
          #   `projects/bar` has a `Policy` with values:
          #     {RestoreDefault: {}}
          # The accepted values at `organizations/foo` are `E1`, `E2`.
          # The accepted values at `projects/bar` are either all or none depending on
          # the value of `constraint_default` (if `ALLOW`, all; if
          # `DENY`, none).
          #
          # Example 5 (no policy inherits parent policy):
          #   `organizations/foo` has no `Policy` set.
          #   `projects/bar` has no `Policy` set.
          # The accepted values at both levels are either all or none depending on
          # the value of `constraint_default` (if `ALLOW`, all; if
          # `DENY`, none).
          #
          # Example 6 (ListConstraint allowing all):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values: "E2"}
          #   `projects/bar` has a `Policy` with:
          #     {all: ALLOW}
          # The accepted values at `organizations/foo` are `E1`, E2`.
          # Any value is accepted at `projects/bar`.
          #
          # Example 7 (ListConstraint allowing none):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values: "E2"}
          #   `projects/bar` has a `Policy` with:
          #     {all: DENY}
          # The accepted values at `organizations/foo` are `E1`, E2`.
          # No value is accepted at `projects/bar`.
          #
          # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
          # Given the following resource hierarchy
          #   O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "under:organizations/O1"}
          #   `projects/bar` has a `Policy` with:
          #     {allowed_values: "under:projects/P3"}
          #     {denied_values: "under:folders/F2"}
          # The accepted values at `organizations/foo` are `organizations/O1`,
          #   `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
          #   `projects/P3`.
          # The accepted values at `projects/bar` are `organizations/O1`,
          #   `folders/F1`, `projects/P1`.
      "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
          # that matches the value specified in this `Policy`. If `suggested_value`
          # is not set, it will inherit the value specified higher in the hierarchy,
          # unless `inherit_from_parent` is `false`.
      "allowedValues": [ # List of values allowed  at this resource. Can only be set if `all_values`
          # is set to `ALL_VALUES_UNSPECIFIED`.
        "A String",
      ],
    },
    "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
        # resource.
      "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
          # configuration is acceptable.
          #
          # Suppose you have a `Constraint`
          # `constraints/compute.disableSerialPortAccess` with `constraint_default`
          # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
          # behavior:
          #   - If the `Policy` at this resource has enforced set to `false`, serial
          #     port connection attempts will be allowed.
          #   - If the `Policy` at this resource has enforced set to `true`, serial
          #     port connection attempts will be refused.
          #   - If the `Policy` at this resource is `RestoreDefault`, serial port
          #     connection attempts will be allowed.
          #   - If no `Policy` is set at this resource or anywhere higher in the
          #     resource hierarchy, serial port connection attempts will be allowed.
          #   - If no `Policy` is set at this resource, but one exists higher in the
          #     resource hierarchy, the behavior is as if the`Policy` were set at
          #     this resource.
          #
          # The following examples demonstrate the different possible layerings:
          #
          # Example 1 (nearest `Constraint` wins):
          #   `organizations/foo` has a `Policy` with:
          #     {enforced: false}
          #   `projects/bar` has no `Policy` set.
          # The constraint at `projects/bar` and `organizations/foo` will not be
          # enforced.
          #
          # Example 2 (enforcement gets replaced):
          #   `organizations/foo` has a `Policy` with:
          #     {enforced: false}
          #   `projects/bar` has a `Policy` with:
          #     {enforced: true}
          # The constraint at `organizations/foo` is not enforced.
          # The constraint at `projects/bar` is enforced.
          #
          # Example 3 (RestoreDefault):
          #   `organizations/foo` has a `Policy` with:
          #     {enforced: true}
          #   `projects/bar` has a `Policy` with:
          #     {RestoreDefault: {}}
          # The constraint at `organizations/foo` is enforced.
          # The constraint at `projects/bar` is not enforced, because
          # `constraint_default` for the `Constraint` is `ALLOW`.
    },
    "version": 42, # Version of the `Policy`. Default version is 0;
    "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
        # concurrency control.
        #
        # When the `Policy` is returned from either a `GetPolicy` or a
        # `ListOrgPolicy` request, this `etag` indicates the version of the current
        # `Policy` to use when executing a read-modify-write loop.
        #
        # When the `Policy` is returned from a `GetEffectivePolicy` request, the
        # `etag` will be unset.
        #
        # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
        # that was returned from a `GetOrgPolicy` request as part of a
        # read-modify-write loop for concurrency control. Not setting the `etag`in a
        # `SetOrgPolicy` request will result in an unconditional write of the
        # `Policy`.
  }
getOrgPolicy(resource=*, body=*, x__xgafv=None)
Gets a `Policy` on a resource.

If no `Policy` is set on the resource, a `Policy` is returned with default
values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The
`etag` value can be used with `SetOrgPolicy()` to create or update a
`Policy` during read-modify-write.

Args:
  resource: string, Name of the resource the `Policy` is set on. (required)
  body: object, The request body. (required)
    The object takes the form of:

{ # The request sent to the GetOrgPolicy method.
    "constraint": "A String", # Name of the `Constraint` to get the `Policy`.
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
      # for configurations of Cloud Platform resources.
    "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
        # server, not specified by the caller, and represents the last time a call to
        # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
        # be ignored.
    "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
        # `constraints/serviceuser.services`.
        #
        # Immutable after creation.
    "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
        # `Constraint` type.
        # `constraint_default` enforcement behavior of the specific `Constraint` at
        # this resource.
        #
        # Suppose that `constraint_default` is set to `ALLOW` for the
        # `Constraint` `constraints/serviceuser.services`. Suppose that organization
        # foo.com sets a `Policy` at their Organization resource node that restricts
        # the allowed service activations to deny all service activations. They
        # could then set a `Policy` with the `policy_type` `restore_default` on
        # several experimental projects, restoring the `constraint_default`
        # enforcement of the `Constraint` for only those projects, allowing those
        # projects to have all services activated.
    },
    "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
        # resource.
        #
        # `ListPolicy` can define specific values and subtrees of Cloud Resource
        # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
        # are allowed or denied by setting the `allowed_values` and `denied_values`
        # fields. This is achieved by using the `under:` and optional `is:` prefixes.
        # The `under:` prefix is used to denote resource subtree values.
        # The `is:` prefix is used to denote specific values, and is required only
        # if the value contains a ":". Values prefixed with "is:" are treated the
        # same as values with no prefix.
        # Ancestry subtrees must be in one of the following formats:
        #     - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
        #     - "folders/<folder-id>", e.g. "folders/1234"
        #     - "organizations/<organization-id>", e.g. "organizations/1234"
        # The `supports_under` field of the associated `Constraint`  defines whether
        # ancestry prefixes can be used. You can set `allowed_values` and
        # `denied_values` in the same `Policy` if `all_values` is
        # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
        # values. If `all_values` is set to either `ALLOW` or `DENY`,
        # `allowed_values` and `denied_values` must be unset.
      "allValues": "A String", # The policy all_values state.
      "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
          # is set to `ALL_VALUES_UNSPECIFIED`.
        "A String",
      ],
      "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
          #
          # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
          # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
          # set to `true`, then the values from the effective `Policy` of the parent
          # resource are inherited, meaning the values set in this `Policy` are
          # added to the values inherited up the hierarchy.
          #
          # Setting `Policy` hierarchies that inherit both allowed values and denied
          # values isn't recommended in most circumstances to keep the configuration
          # simple and understandable. However, it is possible to set a `Policy` with
          # `allowed_values` set that inherits a `Policy` with `denied_values` set.
          # In this case, the values that are allowed must be in `allowed_values` and
          # not present in `denied_values`.
          #
          # For example, suppose you have a `Constraint`
          # `constraints/serviceuser.services`, which has a `constraint_type` of
          # `list_constraint`, and with `constraint_default` set to `ALLOW`.
          # Suppose that at the Organization level, a `Policy` is applied that
          # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
          # `Policy` is applied to a project below the Organization that has
          # `inherit_from_parent` set to `false` and field all_values set to DENY,
          # then an attempt to activate any API will be denied.
          #
          # The following examples demonstrate different possible layerings for
          # `projects/bar` parented by `organizations/foo`:
          #
          # Example 1 (no inherited values):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values:"E2"}
          #   `projects/bar` has `inherit_from_parent` `false` and values:
          #     {allowed_values: "E3" allowed_values: "E4"}
          # The accepted values at `organizations/foo` are `E1`, `E2`.
          # The accepted values at `projects/bar` are `E3`, and `E4`.
          #
          # Example 2 (inherited values):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values:"E2"}
          #   `projects/bar` has a `Policy` with values:
          #     {value: "E3" value: "E4" inherit_from_parent: true}
          # The accepted values at `organizations/foo` are `E1`, `E2`.
          # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
          #
          # Example 3 (inheriting both allowed and denied values):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values: "E2"}
          #   `projects/bar` has a `Policy` with:
          #     {denied_values: "E1"}
          # The accepted values at `organizations/foo` are `E1`, `E2`.
          # The value accepted at `projects/bar` is `E2`.
          #
          # Example 4 (RestoreDefault):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values:"E2"}
          #   `projects/bar` has a `Policy` with values:
          #     {RestoreDefault: {}}
          # The accepted values at `organizations/foo` are `E1`, `E2`.
          # The accepted values at `projects/bar` are either all or none depending on
          # the value of `constraint_default` (if `ALLOW`, all; if
          # `DENY`, none).
          #
          # Example 5 (no policy inherits parent policy):
          #   `organizations/foo` has no `Policy` set.
          #   `projects/bar` has no `Policy` set.
          # The accepted values at both levels are either all or none depending on
          # the value of `constraint_default` (if `ALLOW`, all; if
          # `DENY`, none).
          #
          # Example 6 (ListConstraint allowing all):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values: "E2"}
          #   `projects/bar` has a `Policy` with:
          #     {all: ALLOW}
          # The accepted values at `organizations/foo` are `E1`, E2`.
          # Any value is accepted at `projects/bar`.
          #
          # Example 7 (ListConstraint allowing none):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values: "E2"}
          #   `projects/bar` has a `Policy` with:
          #     {all: DENY}
          # The accepted values at `organizations/foo` are `E1`, E2`.
          # No value is accepted at `projects/bar`.
          #
          # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
          # Given the following resource hierarchy
          #   O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "under:organizations/O1"}
          #   `projects/bar` has a `Policy` with:
          #     {allowed_values: "under:projects/P3"}
          #     {denied_values: "under:folders/F2"}
          # The accepted values at `organizations/foo` are `organizations/O1`,
          #   `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
          #   `projects/P3`.
          # The accepted values at `projects/bar` are `organizations/O1`,
          #   `folders/F1`, `projects/P1`.
      "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
          # that matches the value specified in this `Policy`. If `suggested_value`
          # is not set, it will inherit the value specified higher in the hierarchy,
          # unless `inherit_from_parent` is `false`.
      "allowedValues": [ # List of values allowed  at this resource. Can only be set if `all_values`
          # is set to `ALL_VALUES_UNSPECIFIED`.
        "A String",
      ],
    },
    "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
        # resource.
      "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
          # configuration is acceptable.
          #
          # Suppose you have a `Constraint`
          # `constraints/compute.disableSerialPortAccess` with `constraint_default`
          # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
          # behavior:
          #   - If the `Policy` at this resource has enforced set to `false`, serial
          #     port connection attempts will be allowed.
          #   - If the `Policy` at this resource has enforced set to `true`, serial
          #     port connection attempts will be refused.
          #   - If the `Policy` at this resource is `RestoreDefault`, serial port
          #     connection attempts will be allowed.
          #   - If no `Policy` is set at this resource or anywhere higher in the
          #     resource hierarchy, serial port connection attempts will be allowed.
          #   - If no `Policy` is set at this resource, but one exists higher in the
          #     resource hierarchy, the behavior is as if the`Policy` were set at
          #     this resource.
          #
          # The following examples demonstrate the different possible layerings:
          #
          # Example 1 (nearest `Constraint` wins):
          #   `organizations/foo` has a `Policy` with:
          #     {enforced: false}
          #   `projects/bar` has no `Policy` set.
          # The constraint at `projects/bar` and `organizations/foo` will not be
          # enforced.
          #
          # Example 2 (enforcement gets replaced):
          #   `organizations/foo` has a `Policy` with:
          #     {enforced: false}
          #   `projects/bar` has a `Policy` with:
          #     {enforced: true}
          # The constraint at `organizations/foo` is not enforced.
          # The constraint at `projects/bar` is enforced.
          #
          # Example 3 (RestoreDefault):
          #   `organizations/foo` has a `Policy` with:
          #     {enforced: true}
          #   `projects/bar` has a `Policy` with:
          #     {RestoreDefault: {}}
          # The constraint at `organizations/foo` is enforced.
          # The constraint at `projects/bar` is not enforced, because
          # `constraint_default` for the `Constraint` is `ALLOW`.
    },
    "version": 42, # Version of the `Policy`. Default version is 0;
    "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
        # concurrency control.
        #
        # When the `Policy` is returned from either a `GetPolicy` or a
        # `ListOrgPolicy` request, this `etag` indicates the version of the current
        # `Policy` to use when executing a read-modify-write loop.
        #
        # When the `Policy` is returned from a `GetEffectivePolicy` request, the
        # `etag` will be unset.
        #
        # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
        # that was returned from a `GetOrgPolicy` request as part of a
        # read-modify-write loop for concurrency control. Not setting the `etag`in a
        # `SetOrgPolicy` request will result in an unconditional write of the
        # `Policy`.
  }
listAvailableOrgPolicyConstraints(resource=*, body=*, x__xgafv=None)
Lists `Constraints` that could be applied on the specified resource.

Args:
  resource: string, Name of the resource to list `Constraints` for. (required)
  body: object, The request body. (required)
    The object takes the form of:

{ # The request sent to the [ListAvailableOrgPolicyConstraints]
      # google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method.
    "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
        # and will be ignored. The server may at any point start using this field.
    "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
        # be ignored. The server may at any point start using this field to limit
        # page size.
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # The response returned from the ListAvailableOrgPolicyConstraints method.
      # Returns all `Constraints` that could be set at this level of the hierarchy
      # (contrast with the response from `ListPolicies`, which returns all policies
      # which are set).
    "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used.
    "constraints": [ # The collection of constraints that are settable on the request resource.
      { # A `Constraint` describes a way in which a resource's configuration can be
          # restricted. For example, it controls which cloud services can be activated
          # across an organization, or whether a Compute Engine instance can have
          # serial port connections established. `Constraints` can be configured by the
          # organization's policy adminstrator to fit the needs of the organzation by
          # setting Policies for `Constraints` at different locations in the
          # organization's resource hierarchy. Policies are inherited down the resource
          # hierarchy from higher levels, but can also be overridden. For details about
          # the inheritance rules please read about
          # Policies.
          #
          # `Constraints` have a default behavior determined by the `constraint_default`
          # field, which is the enforcement behavior that is used in the absence of a
          # `Policy` being defined or inherited for the resource in question.
        "constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'.
        "displayName": "A String", # The human readable name.
            #
            # Mutable.
        "name": "A String", # Immutable value, required to globally be unique. For example,
            # `constraints/serviceuser.services`
        "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint.
            #
            # For example a constraint `constraints/compute.disableSerialPortAccess`.
            # If it is enforced on a VM instance, serial port connections will not be
            # opened to that instance.
        },
        "version": 42, # Version of the `Constraint`. Default version is 0;
        "listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint.
            # configured by an Organization's policy administrator with a `Policy`.
          "supportsUnder": True or False, # Indicates whether subtrees of Cloud Resource Manager resource hierarchy
              # can be used in `Policy.allowed_values` and `Policy.denied_values`. For
              # example, `"under:folders/123"` would match any resource under the
              # 'folders/123' folder.
          "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
              # that matches the value specified in this `Constraint`.
        },
        "description": "A String", # Detailed description of what this `Constraint` controls as well as how and
            # where it is enforced.
            #
            # Mutable.
      },
    ],
  }
listAvailableOrgPolicyConstraints_next(previous_request=*, previous_response=*)
Retrieves the next page of results.

Args:
  previous_request: The request for the previous page. (required)
  previous_response: The response from the request for the previous page. (required)

Returns:
  A request object that you can call 'execute()' on to request the next
  page. Returns None if there are no more items in the collection.
    
listOrgPolicies(resource=*, body=*, x__xgafv=None)
Lists all the `Policies` set for a particular resource.

Args:
  resource: string, Name of the resource to list Policies for. (required)
  body: object, The request body. (required)
    The object takes the form of:

{ # The request sent to the ListOrgPolicies method.
    "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
        # and will be ignored. The server may at any point start using this field.
    "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
        # be ignored. The server may at any point start using this field to limit
        # page size.
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # The response returned from the ListOrgPolicies method. It will be empty
      # if no `Policies` are set on the resource.
    "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but
        # the server may at any point start supplying a valid token.
    "policies": [ # The `Policies` that are set on the resource. It will be empty if no
        # `Policies` are set.
      { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
          # for configurations of Cloud Platform resources.
        "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
            # server, not specified by the caller, and represents the last time a call to
            # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
            # be ignored.
        "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
            # `constraints/serviceuser.services`.
            #
            # Immutable after creation.
        "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
            # `Constraint` type.
            # `constraint_default` enforcement behavior of the specific `Constraint` at
            # this resource.
            #
            # Suppose that `constraint_default` is set to `ALLOW` for the
            # `Constraint` `constraints/serviceuser.services`. Suppose that organization
            # foo.com sets a `Policy` at their Organization resource node that restricts
            # the allowed service activations to deny all service activations. They
            # could then set a `Policy` with the `policy_type` `restore_default` on
            # several experimental projects, restoring the `constraint_default`
            # enforcement of the `Constraint` for only those projects, allowing those
            # projects to have all services activated.
        },
        "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
            # resource.
            #
            # `ListPolicy` can define specific values and subtrees of Cloud Resource
            # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
            # are allowed or denied by setting the `allowed_values` and `denied_values`
            # fields. This is achieved by using the `under:` and optional `is:` prefixes.
            # The `under:` prefix is used to denote resource subtree values.
            # The `is:` prefix is used to denote specific values, and is required only
            # if the value contains a ":". Values prefixed with "is:" are treated the
            # same as values with no prefix.
            # Ancestry subtrees must be in one of the following formats:
            #     - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
            #     - "folders/<folder-id>", e.g. "folders/1234"
            #     - "organizations/<organization-id>", e.g. "organizations/1234"
            # The `supports_under` field of the associated `Constraint`  defines whether
            # ancestry prefixes can be used. You can set `allowed_values` and
            # `denied_values` in the same `Policy` if `all_values` is
            # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
            # values. If `all_values` is set to either `ALLOW` or `DENY`,
            # `allowed_values` and `denied_values` must be unset.
          "allValues": "A String", # The policy all_values state.
          "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
              # is set to `ALL_VALUES_UNSPECIFIED`.
            "A String",
          ],
          "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
              #
              # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
              # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
              # set to `true`, then the values from the effective `Policy` of the parent
              # resource are inherited, meaning the values set in this `Policy` are
              # added to the values inherited up the hierarchy.
              #
              # Setting `Policy` hierarchies that inherit both allowed values and denied
              # values isn't recommended in most circumstances to keep the configuration
              # simple and understandable. However, it is possible to set a `Policy` with
              # `allowed_values` set that inherits a `Policy` with `denied_values` set.
              # In this case, the values that are allowed must be in `allowed_values` and
              # not present in `denied_values`.
              #
              # For example, suppose you have a `Constraint`
              # `constraints/serviceuser.services`, which has a `constraint_type` of
              # `list_constraint`, and with `constraint_default` set to `ALLOW`.
              # Suppose that at the Organization level, a `Policy` is applied that
              # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
              # `Policy` is applied to a project below the Organization that has
              # `inherit_from_parent` set to `false` and field all_values set to DENY,
              # then an attempt to activate any API will be denied.
              #
              # The following examples demonstrate different possible layerings for
              # `projects/bar` parented by `organizations/foo`:
              #
              # Example 1 (no inherited values):
              #   `organizations/foo` has a `Policy` with values:
              #     {allowed_values: "E1" allowed_values:"E2"}
              #   `projects/bar` has `inherit_from_parent` `false` and values:
              #     {allowed_values: "E3" allowed_values: "E4"}
              # The accepted values at `organizations/foo` are `E1`, `E2`.
              # The accepted values at `projects/bar` are `E3`, and `E4`.
              #
              # Example 2 (inherited values):
              #   `organizations/foo` has a `Policy` with values:
              #     {allowed_values: "E1" allowed_values:"E2"}
              #   `projects/bar` has a `Policy` with values:
              #     {value: "E3" value: "E4" inherit_from_parent: true}
              # The accepted values at `organizations/foo` are `E1`, `E2`.
              # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
              #
              # Example 3 (inheriting both allowed and denied values):
              #   `organizations/foo` has a `Policy` with values:
              #     {allowed_values: "E1" allowed_values: "E2"}
              #   `projects/bar` has a `Policy` with:
              #     {denied_values: "E1"}
              # The accepted values at `organizations/foo` are `E1`, `E2`.
              # The value accepted at `projects/bar` is `E2`.
              #
              # Example 4 (RestoreDefault):
              #   `organizations/foo` has a `Policy` with values:
              #     {allowed_values: "E1" allowed_values:"E2"}
              #   `projects/bar` has a `Policy` with values:
              #     {RestoreDefault: {}}
              # The accepted values at `organizations/foo` are `E1`, `E2`.
              # The accepted values at `projects/bar` are either all or none depending on
              # the value of `constraint_default` (if `ALLOW`, all; if
              # `DENY`, none).
              #
              # Example 5 (no policy inherits parent policy):
              #   `organizations/foo` has no `Policy` set.
              #   `projects/bar` has no `Policy` set.
              # The accepted values at both levels are either all or none depending on
              # the value of `constraint_default` (if `ALLOW`, all; if
              # `DENY`, none).
              #
              # Example 6 (ListConstraint allowing all):
              #   `organizations/foo` has a `Policy` with values:
              #     {allowed_values: "E1" allowed_values: "E2"}
              #   `projects/bar` has a `Policy` with:
              #     {all: ALLOW}
              # The accepted values at `organizations/foo` are `E1`, E2`.
              # Any value is accepted at `projects/bar`.
              #
              # Example 7 (ListConstraint allowing none):
              #   `organizations/foo` has a `Policy` with values:
              #     {allowed_values: "E1" allowed_values: "E2"}
              #   `projects/bar` has a `Policy` with:
              #     {all: DENY}
              # The accepted values at `organizations/foo` are `E1`, E2`.
              # No value is accepted at `projects/bar`.
              #
              # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
              # Given the following resource hierarchy
              #   O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
              #   `organizations/foo` has a `Policy` with values:
              #     {allowed_values: "under:organizations/O1"}
              #   `projects/bar` has a `Policy` with:
              #     {allowed_values: "under:projects/P3"}
              #     {denied_values: "under:folders/F2"}
              # The accepted values at `organizations/foo` are `organizations/O1`,
              #   `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
              #   `projects/P3`.
              # The accepted values at `projects/bar` are `organizations/O1`,
              #   `folders/F1`, `projects/P1`.
          "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
              # that matches the value specified in this `Policy`. If `suggested_value`
              # is not set, it will inherit the value specified higher in the hierarchy,
              # unless `inherit_from_parent` is `false`.
          "allowedValues": [ # List of values allowed  at this resource. Can only be set if `all_values`
              # is set to `ALL_VALUES_UNSPECIFIED`.
            "A String",
          ],
        },
        "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
            # resource.
          "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
              # configuration is acceptable.
              #
              # Suppose you have a `Constraint`
              # `constraints/compute.disableSerialPortAccess` with `constraint_default`
              # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
              # behavior:
              #   - If the `Policy` at this resource has enforced set to `false`, serial
              #     port connection attempts will be allowed.
              #   - If the `Policy` at this resource has enforced set to `true`, serial
              #     port connection attempts will be refused.
              #   - If the `Policy` at this resource is `RestoreDefault`, serial port
              #     connection attempts will be allowed.
              #   - If no `Policy` is set at this resource or anywhere higher in the
              #     resource hierarchy, serial port connection attempts will be allowed.
              #   - If no `Policy` is set at this resource, but one exists higher in the
              #     resource hierarchy, the behavior is as if the`Policy` were set at
              #     this resource.
              #
              # The following examples demonstrate the different possible layerings:
              #
              # Example 1 (nearest `Constraint` wins):
              #   `organizations/foo` has a `Policy` with:
              #     {enforced: false}
              #   `projects/bar` has no `Policy` set.
              # The constraint at `projects/bar` and `organizations/foo` will not be
              # enforced.
              #
              # Example 2 (enforcement gets replaced):
              #   `organizations/foo` has a `Policy` with:
              #     {enforced: false}
              #   `projects/bar` has a `Policy` with:
              #     {enforced: true}
              # The constraint at `organizations/foo` is not enforced.
              # The constraint at `projects/bar` is enforced.
              #
              # Example 3 (RestoreDefault):
              #   `organizations/foo` has a `Policy` with:
              #     {enforced: true}
              #   `projects/bar` has a `Policy` with:
              #     {RestoreDefault: {}}
              # The constraint at `organizations/foo` is enforced.
              # The constraint at `projects/bar` is not enforced, because
              # `constraint_default` for the `Constraint` is `ALLOW`.
        },
        "version": 42, # Version of the `Policy`. Default version is 0;
        "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
            # concurrency control.
            #
            # When the `Policy` is returned from either a `GetPolicy` or a
            # `ListOrgPolicy` request, this `etag` indicates the version of the current
            # `Policy` to use when executing a read-modify-write loop.
            #
            # When the `Policy` is returned from a `GetEffectivePolicy` request, the
            # `etag` will be unset.
            #
            # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
            # that was returned from a `GetOrgPolicy` request as part of a
            # read-modify-write loop for concurrency control. Not setting the `etag`in a
            # `SetOrgPolicy` request will result in an unconditional write of the
            # `Policy`.
      },
    ],
  }
listOrgPolicies_next(previous_request=*, previous_response=*)
Retrieves the next page of results.

Args:
  previous_request: The request for the previous page. (required)
  previous_response: The response from the request for the previous page. (required)

Returns:
  A request object that you can call 'execute()' on to request the next
  page. Returns None if there are no more items in the collection.
    
setOrgPolicy(resource=*, body=*, x__xgafv=None)
Updates the specified `Policy` on the resource. Creates a new `Policy` for
that `Constraint` on the resource if one does not exist.

Not supplying an `etag` on the request `Policy` results in an unconditional
write of the `Policy`.

Args:
  resource: string, Resource name of the resource to attach the `Policy`. (required)
  body: object, The request body. (required)
    The object takes the form of:

{ # The request sent to the SetOrgPolicyRequest method.
    "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.
        # for configurations of Cloud Platform resources.
      "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
          # server, not specified by the caller, and represents the last time a call to
          # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
          # be ignored.
      "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
          # `constraints/serviceuser.services`.
          #
          # Immutable after creation.
      "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
          # `Constraint` type.
          # `constraint_default` enforcement behavior of the specific `Constraint` at
          # this resource.
          #
          # Suppose that `constraint_default` is set to `ALLOW` for the
          # `Constraint` `constraints/serviceuser.services`. Suppose that organization
          # foo.com sets a `Policy` at their Organization resource node that restricts
          # the allowed service activations to deny all service activations. They
          # could then set a `Policy` with the `policy_type` `restore_default` on
          # several experimental projects, restoring the `constraint_default`
          # enforcement of the `Constraint` for only those projects, allowing those
          # projects to have all services activated.
      },
      "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
          # resource.
          #
          # `ListPolicy` can define specific values and subtrees of Cloud Resource
          # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
          # are allowed or denied by setting the `allowed_values` and `denied_values`
          # fields. This is achieved by using the `under:` and optional `is:` prefixes.
          # The `under:` prefix is used to denote resource subtree values.
          # The `is:` prefix is used to denote specific values, and is required only
          # if the value contains a ":". Values prefixed with "is:" are treated the
          # same as values with no prefix.
          # Ancestry subtrees must be in one of the following formats:
          #     - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
          #     - "folders/<folder-id>", e.g. "folders/1234"
          #     - "organizations/<organization-id>", e.g. "organizations/1234"
          # The `supports_under` field of the associated `Constraint`  defines whether
          # ancestry prefixes can be used. You can set `allowed_values` and
          # `denied_values` in the same `Policy` if `all_values` is
          # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
          # values. If `all_values` is set to either `ALLOW` or `DENY`,
          # `allowed_values` and `denied_values` must be unset.
        "allValues": "A String", # The policy all_values state.
        "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
            # is set to `ALL_VALUES_UNSPECIFIED`.
          "A String",
        ],
        "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
            #
            # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
            # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
            # set to `true`, then the values from the effective `Policy` of the parent
            # resource are inherited, meaning the values set in this `Policy` are
            # added to the values inherited up the hierarchy.
            #
            # Setting `Policy` hierarchies that inherit both allowed values and denied
            # values isn't recommended in most circumstances to keep the configuration
            # simple and understandable. However, it is possible to set a `Policy` with
            # `allowed_values` set that inherits a `Policy` with `denied_values` set.
            # In this case, the values that are allowed must be in `allowed_values` and
            # not present in `denied_values`.
            #
            # For example, suppose you have a `Constraint`
            # `constraints/serviceuser.services`, which has a `constraint_type` of
            # `list_constraint`, and with `constraint_default` set to `ALLOW`.
            # Suppose that at the Organization level, a `Policy` is applied that
            # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
            # `Policy` is applied to a project below the Organization that has
            # `inherit_from_parent` set to `false` and field all_values set to DENY,
            # then an attempt to activate any API will be denied.
            #
            # The following examples demonstrate different possible layerings for
            # `projects/bar` parented by `organizations/foo`:
            #
            # Example 1 (no inherited values):
            #   `organizations/foo` has a `Policy` with values:
            #     {allowed_values: "E1" allowed_values:"E2"}
            #   `projects/bar` has `inherit_from_parent` `false` and values:
            #     {allowed_values: "E3" allowed_values: "E4"}
            # The accepted values at `organizations/foo` are `E1`, `E2`.
            # The accepted values at `projects/bar` are `E3`, and `E4`.
            #
            # Example 2 (inherited values):
            #   `organizations/foo` has a `Policy` with values:
            #     {allowed_values: "E1" allowed_values:"E2"}
            #   `projects/bar` has a `Policy` with values:
            #     {value: "E3" value: "E4" inherit_from_parent: true}
            # The accepted values at `organizations/foo` are `E1`, `E2`.
            # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
            #
            # Example 3 (inheriting both allowed and denied values):
            #   `organizations/foo` has a `Policy` with values:
            #     {allowed_values: "E1" allowed_values: "E2"}
            #   `projects/bar` has a `Policy` with:
            #     {denied_values: "E1"}
            # The accepted values at `organizations/foo` are `E1`, `E2`.
            # The value accepted at `projects/bar` is `E2`.
            #
            # Example 4 (RestoreDefault):
            #   `organizations/foo` has a `Policy` with values:
            #     {allowed_values: "E1" allowed_values:"E2"}
            #   `projects/bar` has a `Policy` with values:
            #     {RestoreDefault: {}}
            # The accepted values at `organizations/foo` are `E1`, `E2`.
            # The accepted values at `projects/bar` are either all or none depending on
            # the value of `constraint_default` (if `ALLOW`, all; if
            # `DENY`, none).
            #
            # Example 5 (no policy inherits parent policy):
            #   `organizations/foo` has no `Policy` set.
            #   `projects/bar` has no `Policy` set.
            # The accepted values at both levels are either all or none depending on
            # the value of `constraint_default` (if `ALLOW`, all; if
            # `DENY`, none).
            #
            # Example 6 (ListConstraint allowing all):
            #   `organizations/foo` has a `Policy` with values:
            #     {allowed_values: "E1" allowed_values: "E2"}
            #   `projects/bar` has a `Policy` with:
            #     {all: ALLOW}
            # The accepted values at `organizations/foo` are `E1`, E2`.
            # Any value is accepted at `projects/bar`.
            #
            # Example 7 (ListConstraint allowing none):
            #   `organizations/foo` has a `Policy` with values:
            #     {allowed_values: "E1" allowed_values: "E2"}
            #   `projects/bar` has a `Policy` with:
            #     {all: DENY}
            # The accepted values at `organizations/foo` are `E1`, E2`.
            # No value is accepted at `projects/bar`.
            #
            # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
            # Given the following resource hierarchy
            #   O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
            #   `organizations/foo` has a `Policy` with values:
            #     {allowed_values: "under:organizations/O1"}
            #   `projects/bar` has a `Policy` with:
            #     {allowed_values: "under:projects/P3"}
            #     {denied_values: "under:folders/F2"}
            # The accepted values at `organizations/foo` are `organizations/O1`,
            #   `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
            #   `projects/P3`.
            # The accepted values at `projects/bar` are `organizations/O1`,
            #   `folders/F1`, `projects/P1`.
        "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
            # that matches the value specified in this `Policy`. If `suggested_value`
            # is not set, it will inherit the value specified higher in the hierarchy,
            # unless `inherit_from_parent` is `false`.
        "allowedValues": [ # List of values allowed  at this resource. Can only be set if `all_values`
            # is set to `ALL_VALUES_UNSPECIFIED`.
          "A String",
        ],
      },
      "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
          # resource.
        "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
            # configuration is acceptable.
            #
            # Suppose you have a `Constraint`
            # `constraints/compute.disableSerialPortAccess` with `constraint_default`
            # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
            # behavior:
            #   - If the `Policy` at this resource has enforced set to `false`, serial
            #     port connection attempts will be allowed.
            #   - If the `Policy` at this resource has enforced set to `true`, serial
            #     port connection attempts will be refused.
            #   - If the `Policy` at this resource is `RestoreDefault`, serial port
            #     connection attempts will be allowed.
            #   - If no `Policy` is set at this resource or anywhere higher in the
            #     resource hierarchy, serial port connection attempts will be allowed.
            #   - If no `Policy` is set at this resource, but one exists higher in the
            #     resource hierarchy, the behavior is as if the`Policy` were set at
            #     this resource.
            #
            # The following examples demonstrate the different possible layerings:
            #
            # Example 1 (nearest `Constraint` wins):
            #   `organizations/foo` has a `Policy` with:
            #     {enforced: false}
            #   `projects/bar` has no `Policy` set.
            # The constraint at `projects/bar` and `organizations/foo` will not be
            # enforced.
            #
            # Example 2 (enforcement gets replaced):
            #   `organizations/foo` has a `Policy` with:
            #     {enforced: false}
            #   `projects/bar` has a `Policy` with:
            #     {enforced: true}
            # The constraint at `organizations/foo` is not enforced.
            # The constraint at `projects/bar` is enforced.
            #
            # Example 3 (RestoreDefault):
            #   `organizations/foo` has a `Policy` with:
            #     {enforced: true}
            #   `projects/bar` has a `Policy` with:
            #     {RestoreDefault: {}}
            # The constraint at `organizations/foo` is enforced.
            # The constraint at `projects/bar` is not enforced, because
            # `constraint_default` for the `Constraint` is `ALLOW`.
      },
      "version": 42, # Version of the `Policy`. Default version is 0;
      "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
          # concurrency control.
          #
          # When the `Policy` is returned from either a `GetPolicy` or a
          # `ListOrgPolicy` request, this `etag` indicates the version of the current
          # `Policy` to use when executing a read-modify-write loop.
          #
          # When the `Policy` is returned from a `GetEffectivePolicy` request, the
          # `etag` will be unset.
          #
          # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
          # that was returned from a `GetOrgPolicy` request as part of a
          # read-modify-write loop for concurrency control. Not setting the `etag`in a
          # `SetOrgPolicy` request will result in an unconditional write of the
          # `Policy`.
    },
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
      # for configurations of Cloud Platform resources.
    "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
        # server, not specified by the caller, and represents the last time a call to
        # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
        # be ignored.
    "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
        # `constraints/serviceuser.services`.
        #
        # Immutable after creation.
    "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
        # `Constraint` type.
        # `constraint_default` enforcement behavior of the specific `Constraint` at
        # this resource.
        #
        # Suppose that `constraint_default` is set to `ALLOW` for the
        # `Constraint` `constraints/serviceuser.services`. Suppose that organization
        # foo.com sets a `Policy` at their Organization resource node that restricts
        # the allowed service activations to deny all service activations. They
        # could then set a `Policy` with the `policy_type` `restore_default` on
        # several experimental projects, restoring the `constraint_default`
        # enforcement of the `Constraint` for only those projects, allowing those
        # projects to have all services activated.
    },
    "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
        # resource.
        #
        # `ListPolicy` can define specific values and subtrees of Cloud Resource
        # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
        # are allowed or denied by setting the `allowed_values` and `denied_values`
        # fields. This is achieved by using the `under:` and optional `is:` prefixes.
        # The `under:` prefix is used to denote resource subtree values.
        # The `is:` prefix is used to denote specific values, and is required only
        # if the value contains a ":". Values prefixed with "is:" are treated the
        # same as values with no prefix.
        # Ancestry subtrees must be in one of the following formats:
        #     - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
        #     - "folders/<folder-id>", e.g. "folders/1234"
        #     - "organizations/<organization-id>", e.g. "organizations/1234"
        # The `supports_under` field of the associated `Constraint`  defines whether
        # ancestry prefixes can be used. You can set `allowed_values` and
        # `denied_values` in the same `Policy` if `all_values` is
        # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
        # values. If `all_values` is set to either `ALLOW` or `DENY`,
        # `allowed_values` and `denied_values` must be unset.
      "allValues": "A String", # The policy all_values state.
      "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
          # is set to `ALL_VALUES_UNSPECIFIED`.
        "A String",
      ],
      "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
          #
          # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
          # anywhere up the resource hierarchy. However, if `inherit_from_parent` is
          # set to `true`, then the values from the effective `Policy` of the parent
          # resource are inherited, meaning the values set in this `Policy` are
          # added to the values inherited up the hierarchy.
          #
          # Setting `Policy` hierarchies that inherit both allowed values and denied
          # values isn't recommended in most circumstances to keep the configuration
          # simple and understandable. However, it is possible to set a `Policy` with
          # `allowed_values` set that inherits a `Policy` with `denied_values` set.
          # In this case, the values that are allowed must be in `allowed_values` and
          # not present in `denied_values`.
          #
          # For example, suppose you have a `Constraint`
          # `constraints/serviceuser.services`, which has a `constraint_type` of
          # `list_constraint`, and with `constraint_default` set to `ALLOW`.
          # Suppose that at the Organization level, a `Policy` is applied that
          # restricts the allowed API activations to {`E1`, `E2`}. Then, if a
          # `Policy` is applied to a project below the Organization that has
          # `inherit_from_parent` set to `false` and field all_values set to DENY,
          # then an attempt to activate any API will be denied.
          #
          # The following examples demonstrate different possible layerings for
          # `projects/bar` parented by `organizations/foo`:
          #
          # Example 1 (no inherited values):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values:"E2"}
          #   `projects/bar` has `inherit_from_parent` `false` and values:
          #     {allowed_values: "E3" allowed_values: "E4"}
          # The accepted values at `organizations/foo` are `E1`, `E2`.
          # The accepted values at `projects/bar` are `E3`, and `E4`.
          #
          # Example 2 (inherited values):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values:"E2"}
          #   `projects/bar` has a `Policy` with values:
          #     {value: "E3" value: "E4" inherit_from_parent: true}
          # The accepted values at `organizations/foo` are `E1`, `E2`.
          # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
          #
          # Example 3 (inheriting both allowed and denied values):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values: "E2"}
          #   `projects/bar` has a `Policy` with:
          #     {denied_values: "E1"}
          # The accepted values at `organizations/foo` are `E1`, `E2`.
          # The value accepted at `projects/bar` is `E2`.
          #
          # Example 4 (RestoreDefault):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values:"E2"}
          #   `projects/bar` has a `Policy` with values:
          #     {RestoreDefault: {}}
          # The accepted values at `organizations/foo` are `E1`, `E2`.
          # The accepted values at `projects/bar` are either all or none depending on
          # the value of `constraint_default` (if `ALLOW`, all; if
          # `DENY`, none).
          #
          # Example 5 (no policy inherits parent policy):
          #   `organizations/foo` has no `Policy` set.
          #   `projects/bar` has no `Policy` set.
          # The accepted values at both levels are either all or none depending on
          # the value of `constraint_default` (if `ALLOW`, all; if
          # `DENY`, none).
          #
          # Example 6 (ListConstraint allowing all):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values: "E2"}
          #   `projects/bar` has a `Policy` with:
          #     {all: ALLOW}
          # The accepted values at `organizations/foo` are `E1`, E2`.
          # Any value is accepted at `projects/bar`.
          #
          # Example 7 (ListConstraint allowing none):
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "E1" allowed_values: "E2"}
          #   `projects/bar` has a `Policy` with:
          #     {all: DENY}
          # The accepted values at `organizations/foo` are `E1`, E2`.
          # No value is accepted at `projects/bar`.
          #
          # Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
          # Given the following resource hierarchy
          #   O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
          #   `organizations/foo` has a `Policy` with values:
          #     {allowed_values: "under:organizations/O1"}
          #   `projects/bar` has a `Policy` with:
          #     {allowed_values: "under:projects/P3"}
          #     {denied_values: "under:folders/F2"}
          # The accepted values at `organizations/foo` are `organizations/O1`,
          #   `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
          #   `projects/P3`.
          # The accepted values at `projects/bar` are `organizations/O1`,
          #   `folders/F1`, `projects/P1`.
      "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
          # that matches the value specified in this `Policy`. If `suggested_value`
          # is not set, it will inherit the value specified higher in the hierarchy,
          # unless `inherit_from_parent` is `false`.
      "allowedValues": [ # List of values allowed  at this resource. Can only be set if `all_values`
          # is set to `ALL_VALUES_UNSPECIFIED`.
        "A String",
      ],
    },
    "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
        # resource.
      "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
          # configuration is acceptable.
          #
          # Suppose you have a `Constraint`
          # `constraints/compute.disableSerialPortAccess` with `constraint_default`
          # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
          # behavior:
          #   - If the `Policy` at this resource has enforced set to `false`, serial
          #     port connection attempts will be allowed.
          #   - If the `Policy` at this resource has enforced set to `true`, serial
          #     port connection attempts will be refused.
          #   - If the `Policy` at this resource is `RestoreDefault`, serial port
          #     connection attempts will be allowed.
          #   - If no `Policy` is set at this resource or anywhere higher in the
          #     resource hierarchy, serial port connection attempts will be allowed.
          #   - If no `Policy` is set at this resource, but one exists higher in the
          #     resource hierarchy, the behavior is as if the`Policy` were set at
          #     this resource.
          #
          # The following examples demonstrate the different possible layerings:
          #
          # Example 1 (nearest `Constraint` wins):
          #   `organizations/foo` has a `Policy` with:
          #     {enforced: false}
          #   `projects/bar` has no `Policy` set.
          # The constraint at `projects/bar` and `organizations/foo` will not be
          # enforced.
          #
          # Example 2 (enforcement gets replaced):
          #   `organizations/foo` has a `Policy` with:
          #     {enforced: false}
          #   `projects/bar` has a `Policy` with:
          #     {enforced: true}
          # The constraint at `organizations/foo` is not enforced.
          # The constraint at `projects/bar` is enforced.
          #
          # Example 3 (RestoreDefault):
          #   `organizations/foo` has a `Policy` with:
          #     {enforced: true}
          #   `projects/bar` has a `Policy` with:
          #     {RestoreDefault: {}}
          # The constraint at `organizations/foo` is enforced.
          # The constraint at `projects/bar` is not enforced, because
          # `constraint_default` for the `Constraint` is `ALLOW`.
    },
    "version": 42, # Version of the `Policy`. Default version is 0;
    "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
        # concurrency control.
        #
        # When the `Policy` is returned from either a `GetPolicy` or a
        # `ListOrgPolicy` request, this `etag` indicates the version of the current
        # `Policy` to use when executing a read-modify-write loop.
        #
        # When the `Policy` is returned from a `GetEffectivePolicy` request, the
        # `etag` will be unset.
        #
        # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
        # that was returned from a `GetOrgPolicy` request as part of a
        # read-modify-write loop for concurrency control. Not setting the `etag`in a
        # `SetOrgPolicy` request will result in an unconditional write of the
        # `Policy`.
  }