role_assignments
Creates, updates, deletes, gets or lists a role_assignments resource.
Overview
| Name | role_assignments |
| Type | Resource |
| Id | googleadmin.directory.role_assignments |
Fields
The following fields are returned by SELECT queries:
- get
- list
Successful response
| Name | Datatype | Description |
|---|---|---|
assignedTo | string | The unique ID of the entity this role is assigned to—either the user_id of a user, the group_id of a group, or the uniqueId of a service account as defined in Identity and Access Management (IAM). |
assigneeType | string | Output only. The type of the assignee (USER or GROUP). |
condition | string | Optional. The condition associated with this role assignment. Note: Feature is available to Enterprise Standard, Enterprise Plus, Google Workspace for Education Plus and Cloud Identity Premium customers. A RoleAssignment with the condition field set will only take effect when the resource being accessed meets the condition. If condition is empty, the role (role_id) is applied to the actor (assigned_to) at the scope (scope_type) unconditionally. Currently, the following conditions are supported: - To make the RoleAssignment only applicable to Security Groups: api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group' - To make the RoleAssignment not applicable to Security Groups: !api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group' Currently, the condition strings have to be verbatim and they only work with the following pre-built administrator roles: - Groups Editor - Groups Reader The condition follows Cloud IAM condition syntax. - To make the RoleAssignment not applicable to Locked Groups: !api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.locked']) && resource.type == 'cloudidentity.googleapis.com/Group' This condition can also be used in conjunction with a Security-related condition. |
etag | string | ETag of the resource. |
kind | string | The type of the API resource. This is always admin#directory#roleAssignment. (default: admin#directory#roleAssignment) |
orgUnitId | string | If the role is restricted to an organization unit, this contains the ID for the organization unit the exercise of this role is restricted to. |
roleAssignmentId | string (int64) | ID of this roleAssignment. |
roleId | string (int64) | The ID of the role that is assigned. |
scopeType | string | The scope in which this role is assigned. |
Successful response
| Name | Datatype | Description |
|---|---|---|
assignedTo | string | The unique ID of the entity this role is assigned to—either the user_id of a user, the group_id of a group, or the uniqueId of a service account as defined in Identity and Access Management (IAM). |
assigneeType | string | Output only. The type of the assignee (USER or GROUP). |
condition | string | Optional. The condition associated with this role assignment. Note: Feature is available to Enterprise Standard, Enterprise Plus, Google Workspace for Education Plus and Cloud Identity Premium customers. A RoleAssignment with the condition field set will only take effect when the resource being accessed meets the condition. If condition is empty, the role (role_id) is applied to the actor (assigned_to) at the scope (scope_type) unconditionally. Currently, the following conditions are supported: - To make the RoleAssignment only applicable to Security Groups: api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group' - To make the RoleAssignment not applicable to Security Groups: !api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group' Currently, the condition strings have to be verbatim and they only work with the following pre-built administrator roles: - Groups Editor - Groups Reader The condition follows Cloud IAM condition syntax. - To make the RoleAssignment not applicable to Locked Groups: !api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.locked']) && resource.type == 'cloudidentity.googleapis.com/Group' This condition can also be used in conjunction with a Security-related condition. |
etag | string | ETag of the resource. |
kind | string | The type of the API resource. This is always admin#directory#roleAssignment. (default: admin#directory#roleAssignment) |
orgUnitId | string | If the role is restricted to an organization unit, this contains the ID for the organization unit the exercise of this role is restricted to. |
roleAssignmentId | string (int64) | ID of this roleAssignment. |
roleId | string (int64) | The ID of the role that is assigned. |
scopeType | string | The scope in which this role is assigned. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | customer, roleAssignmentId | Retrieves a role assignment. | |
list | select | customer | maxResults, pageToken, roleId, userKey, includeIndirectRoleAssignments | Retrieves a paginated list of all roleAssignments. |
insert | insert | customer | Creates a role assignment. | |
delete | delete | customer, roleAssignmentId | Deletes a role assignment. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
customer | string | |
roleAssignmentId | string | |
includeIndirectRoleAssignments | boolean | |
maxResults | integer (int32) | |
pageToken | string | |
roleId | string | |
userKey | string |
SELECT examples
- get
- list
Retrieves a role assignment.
SELECT
assignedTo,
assigneeType,
condition,
etag,
kind,
orgUnitId,
roleAssignmentId,
roleId,
scopeType
FROM googleadmin.directory.role_assignments
WHERE customer = '{{ customer }}' -- required
AND roleAssignmentId = '{{ roleAssignmentId }}' -- required;
Retrieves a paginated list of all roleAssignments.
SELECT
assignedTo,
assigneeType,
condition,
etag,
kind,
orgUnitId,
roleAssignmentId,
roleId,
scopeType
FROM googleadmin.directory.role_assignments
WHERE customer = '{{ customer }}' -- required
AND maxResults = '{{ maxResults }}'
AND pageToken = '{{ pageToken }}'
AND roleId = '{{ roleId }}'
AND userKey = '{{ userKey }}'
AND includeIndirectRoleAssignments = '{{ includeIndirectRoleAssignments }}';
INSERT examples
- insert
- Manifest
Creates a role assignment.
INSERT INTO googleadmin.directory.role_assignments (
data__roleAssignmentId,
data__roleId,
data__kind,
data__etag,
data__assignedTo,
data__scopeType,
data__orgUnitId,
data__condition,
customer
)
SELECT
'{{ roleAssignmentId }}',
'{{ roleId }}',
'{{ kind }}',
'{{ etag }}',
'{{ assignedTo }}',
'{{ scopeType }}',
'{{ orgUnitId }}',
'{{ condition }}',
'{{ customer }}'
RETURNING
assignedTo,
assigneeType,
condition,
etag,
kind,
orgUnitId,
roleAssignmentId,
roleId,
scopeType
;
# Description fields are for documentation purposes
- name: role_assignments
props:
- name: customer
value: string
description: Required parameter for the role_assignments resource.
- name: roleAssignmentId
value: string
description: >
ID of this roleAssignment.
- name: roleId
value: string
description: >
The ID of the role that is assigned.
- name: kind
value: string
description: >
The type of the API resource. This is always `admin#directory#roleAssignment`.
default: admin#directory#roleAssignment
- name: etag
value: string
description: >
ETag of the resource.
- name: assignedTo
value: string
description: >
The unique ID of the entity this role is assigned to—either the `user_id` of a user, the `group_id` of a group, or the `uniqueId` of a service account as defined in [Identity and Access Management (IAM)](https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts).
- name: scopeType
value: string
description: >
The scope in which this role is assigned.
- name: orgUnitId
value: string
description: >
If the role is restricted to an organization unit, this contains the ID for the organization unit the exercise of this role is restricted to.
- name: condition
value: string
description: >
Optional. The condition associated with this role assignment. Note: Feature is available to Enterprise Standard, Enterprise Plus, Google Workspace for Education Plus and Cloud Identity Premium customers. A `RoleAssignment` with the `condition` field set will only take effect when the resource being accessed meets the condition. If `condition` is empty, the role (`role_id`) is applied to the actor (`assigned_to`) at the scope (`scope_type`) unconditionally. Currently, the following conditions are supported: - To make the `RoleAssignment` only applicable to [Security Groups](https://cloud.google.com/identity/docs/groups#group_types): `api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group'` - To make the `RoleAssignment` not applicable to [Security Groups](https://cloud.google.com/identity/docs/groups#group_types): `!api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group'` Currently, the condition strings have to be verbatim and they only work with the following [pre-built administrator roles](https://support.google.com/a/answer/2405986): - Groups Editor - Groups Reader The condition follows [Cloud IAM condition syntax](https://cloud.google.com/iam/docs/conditions-overview). - To make the `RoleAssignment` not applicable to [Locked Groups](https://cloud.google.com/identity/docs/groups#group_types): `!api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.locked']) && resource.type == 'cloudidentity.googleapis.com/Group'` This condition can also be used in conjunction with a Security-related condition.
DELETE examples
- delete
Deletes a role assignment.
DELETE FROM googleadmin.directory.role_assignments
WHERE customer = '{{ customer }}' --required
AND roleAssignmentId = '{{ roleAssignmentId }}' --required;