CloudIdentity
import { CloudIdentity } from "https://googleapis.deno.dev/v1/cloudidentity:v1.ts";
API for provisioning and managing identity resources.
§Methods
Cancels a UserInvitation that was already sent.
Required. UserInvitation
name in the format customers/{customer}/userinvitations/{user_email_address}
Retrieves a UserInvitation resource. Note: New consumer accounts with the customer's verified domain created within the previous 48 hours will not appear in the result. This delay also applies to newly-verified domains.
Required. UserInvitation
name in the format customers/{customer}/userinvitations/{user_email_address}
Verifies whether a user account is eligible to receive a UserInvitation (is an unmanaged account). Eligibility is based on the following criteria:
- the email address is a consumer account and it's the primary email address of the account, and * the domain of the email address matches an existing verified Google Workspace or Cloud Identity domain If both conditions are met, the user is eligible. Note: This method is not supported for Workspace Essentials customers.
Required. UserInvitation
name in the format customers/{customer}/userinvitations/{user_email_address}
Retrieves a list of UserInvitation resources. Note: New consumer accounts with the customer's verified domain created within the previous 48 hours will not appear in the result. This delay also applies to newly-verified domains.
Required. The customer ID of the Google Workspace or Cloud Identity account the UserInvitation resources are associated with.
Sends a UserInvitation to email. If the UserInvitation
does not exist
for this request and it is a valid request, the request creates a
UserInvitation
. Note: The get
and list
methods have a 48-hour
delay where newly-created consumer accounts will not appear in the results.
You can still send a UserInvitation
to those accounts if you know the
unmanaged email address and IsInvitableUser==True.
Required. UserInvitation
name in the format customers/{customer}/userinvitations/{user_email_address}
Cancels an unfinished device wipe. This operation can be used to cancel device wipe in the gap between the wipe operation returning success and the device being wiped. This operation is possible when the device is in a "pending wipe" state. The device enters the "pending wipe" state when a wipe device command is issued, but has not yet been sent to the device. The cancel wipe will fail if the wipe command has already been issued to the device.
Required. Resource name of the Device in format: devices/{device}
, where device is the unique ID assigned to the Device.
Creates a device. Only company-owned device may be created. Note: This method is available only to customers who have one of the following SKUs: Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity Premium
Deletes the specified device.
Required. Resource name of the Device in format: devices/{device}
, where device is the unique ID assigned to the Device.
Approves device to access user data.
Required. Resource name of the Device in format: devices/{device}/deviceUsers/{device_user}
, where device is the unique ID assigned to the Device, and device_user is the unique ID assigned to the User.
Blocks device from accessing user data
Required. Resource name of the Device in format: devices/{device}/deviceUsers/{device_user}
, where device is the unique ID assigned to the Device, and device_user is the unique ID assigned to the User.
Cancels an unfinished user account wipe. This operation can be used to cancel device wipe in the gap between the wipe operation returning success and the device being wiped.
Required. Resource name of the Device in format: devices/{device}/deviceUsers/{device_user}
, where device is the unique ID assigned to the Device, and device_user is the unique ID assigned to the User.
Gets the client state for the device user
Required. Resource name of the ClientState in format: devices/{device}/deviceUsers/{device_user}/clientStates/{partner}
, where device
is the unique ID assigned to the Device, device_user
is the unique ID assigned to the User and partner
identifies the partner storing the data. To get the client state for devices belonging to your own organization, the partnerId
is in the format: customerId-*anystring*
. Where the customerId
is your organization's customer ID and anystring
is any suffix. This suffix is used in setting up Custom Access Levels in Context-Aware Access. You may use my_customer
instead of the customer ID for devices managed by your own organization. You may specify -
in place of the {device}
, so the ClientState resource name can be: devices/-/deviceUsers/{device_user_resource}/clientStates/{partner}
.
Lists the client states for the given search query.
Required. To list all ClientStates, set this to "devices/-/deviceUsers/-". To list all ClientStates owned by a DeviceUser, set this to the resource name of the DeviceUser. Format: devices/{device}/deviceUsers/{deviceUser}
Updates the client state for the device user Note: This method is available only to customers who have one of the following SKUs: Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity Premium
Output only. Resource name of the ClientState in format: devices/{device}/deviceUsers/{device_user}/clientState/{partner}
, where partner corresponds to the partner storing the data. For partners belonging to the "BeyondCorp Alliance", this is the partner ID specified to you by Google. For all other callers, this is a string of the form: {customer}-suffix
, where customer
is your customer ID. The suffix is any string the caller specifies. This string will be displayed verbatim in the administration console. This suffix is used in setting up Custom Access Levels in Context-Aware Access. Your organization's customer ID can be obtained from the URL: GET https://www.googleapis.com/admin/directory/v1/customers/my_customer
The id
field in the response contains the customer ID starting with the letter 'C'. The customer ID to be used in this API is the string after the letter 'C' (not including 'C')
Deletes the specified DeviceUser. This also revokes the user's access to device data.
Required. Resource name of the Device in format: devices/{device}/deviceUsers/{device_user}
, where device is the unique ID assigned to the Device, and device_user is the unique ID assigned to the User.
Retrieves the specified DeviceUser
Required. Resource name of the Device in format: devices/{device}/deviceUsers/{device_user}
, where device is the unique ID assigned to the Device, and device_user is the unique ID assigned to the User.
Lists/Searches DeviceUsers.
Required. To list all DeviceUsers, set this to "devices/-". To list all DeviceUsers owned by a device, set this to the resource name of the device. Format: devices/{device}
Looks up resource names of the DeviceUsers associated with the caller's credentials, as well as the properties provided in the request. This method must be called with end-user credentials with the scope: https://www.googleapis.com/auth/cloud-identity.devices.lookup If multiple properties are provided, only DeviceUsers having all of these properties are considered as matches - i.e. the query behaves like an AND. Different platforms require different amounts of information from the caller to ensure that the DeviceUser is uniquely identified. - iOS: No properties need to be passed, the caller's credentials are sufficient to identify the corresponding DeviceUser. - Android: Specifying the 'android_id' field is required. - Desktop: Specifying the 'raw_resource_id' field is required.
Must be set to "devices/-/deviceUsers" to search across all DeviceUser belonging to the user.
Wipes the user's account on a device. Other data on the device that is not associated with the user's work account is not affected. For example, if a Gmail app is installed on a device that is used for personal and work purposes, and the user is logged in to the Gmail app with their personal account as well as their work account, wiping the "deviceUser" by their work administrator will not affect their personal account within Gmail or other apps such as Photos.
Required. Resource name of the Device in format: devices/{device}/deviceUsers/{device_user}
, where device is the unique ID assigned to the Device, and device_user is the unique ID assigned to the User.
Retrieves the specified device.
Required. Resource name of the Device in the format: devices/{device}
, where device is the unique ID assigned to the Device.
Lists/Searches devices.
Wipes all data on the specified device.
Required. Resource name of the Device in format: devices/{device}/deviceUsers/{device_user}
, where device is the unique ID assigned to the Device, and device_user is the unique ID assigned to the User.
Deletes a Group
.
Required. The resource name of the Group
to retrieve. Must be of the form groups/{group}
.
Retrieves a Group
.
Required. The resource name of the Group
to retrieve. Must be of the form groups/{group}
.
Get Security Settings
Required. The security settings to retrieve. Format: groups/{group_id}/securitySettings
Lists the Group
resources under a customer or namespace.
Looks up the resource
name of a Group
by
its EntityKey
.
Check a potential member for membership in a group. Note: This feature is only available to Google Workspace Enterprise Standard, Enterprise Plus, and Enterprise for Education; and Cloud Identity Premium accounts. If the account of the member is not one of these, a 403 (PERMISSION_DENIED) HTTP status code will be returned. A member has membership to a group as long as there is a single viewable transitive membership between the group and the member. The actor must have view permissions to at least one transitive membership between the member and group.
Resource name of the group to check the transitive membership in. Format: groups/{group}
, where group
is the unique id assigned to the Group to which the Membership belongs to.
Creates a Membership
.
Required. The parent Group
resource under which to create the Membership
. Must be of the form groups/{group}
.
Deletes a Membership
.
Required. The resource name of the Membership
to delete. Must be of the form groups/{group}/memberships/{membership}
Retrieves a Membership
.
Required. The resource name of the Membership
to retrieve. Must be of the form groups/{group}/memberships/{membership}
.
Get a membership graph of just a member or both a member and a group. Note: This feature is only available to Google Workspace Enterprise Standard, Enterprise Plus, and Enterprise for Education; and Cloud Identity Premium accounts. If the account of the member is not one of these, a 403 (PERMISSION_DENIED) HTTP status code will be returned. Given a member, the response will contain all membership paths from the member. Given both a group and a member, the response will contain all membership paths between the group and the member.
Required. Resource name of the group to search transitive memberships in. Format: groups/{group}
, where group
is the unique ID assigned to the Group to which the Membership belongs to. group can be a wildcard collection id "-". When a group is specified, the membership graph will be constrained to paths between the member (defined in the query) and the parent. If a wildcard collection is provided, all membership paths connected to the member will be returned.
Lists the Membership
s within a Group
.
Required. The parent Group
resource under which to lookup the Membership
name. Must be of the form groups/{group}
.
Looks up the resource
name of a
Membership
by its EntityKey
.
Required. The parent Group
resource under which to lookup the Membership
name. Must be of the form groups/{group}
.
Modifies the MembershipRole
s of a Membership
.
Required. The resource name of the Membership
whose roles are to be modified. Must be of the form groups/{group}/memberships/{membership}
.
Searches direct groups of a member.
Resource name of the group to search transitive memberships in. Format: groups/{group_id}, where group_id is always '-' as this API will search across all groups for a given member.
Search transitive groups of a member. Note: This feature is only available to Google Workspace Enterprise Standard, Enterprise Plus, and Enterprise for Education; and Cloud Identity Premium accounts. If the account of the member is not one of these, a 403 (PERMISSION_DENIED) HTTP status code will be returned. A transitive group is any group that has a direct or indirect membership to the member. Actor must have view permissions all transitive groups.
Resource name of the group to search transitive memberships in. Format: groups/{group}
, where group
is always '-' as this API will search across all groups for a given member.
Search transitive memberships of a group. Note: This feature is only available to Google Workspace Enterprise Standard, Enterprise Plus, and Enterprise for Education; and Cloud Identity Premium accounts. If the account of the group is not one of these, a 403 (PERMISSION_DENIED) HTTP status code will be returned. A transitive membership is any direct or indirect membership of a group. Actor must have view permissions to all transitive memberships.
Resource name of the group to search transitive memberships in. Format: groups/{group}
, where group
is the unique ID assigned to the Group.
Updates a Group
.
Output only. The resource name of the Group
. Shall be of the form groups/{group}
.
Searches for Group
resources matching a specified query.
Update Security Settings
Output only. The resource name of the security settings. Shall be of the form groups/{group_id}/securitySettings
.
Creates an InboundSamlSsoProfile for a customer.
Deletes an InboundSamlSsoProfile.
Required. The resource name of the InboundSamlSsoProfile to delete. Format: inboundSamlSsoProfiles/{sso_profile_id}
Gets an InboundSamlSsoProfile.
Required. The resource name of the InboundSamlSsoProfile to get. Format: inboundSamlSsoProfiles/{sso_profile_id}
Adds an IdpCredential. Up to 2 credentials are allowed.
Required. The InboundSamlSsoProfile that owns the IdpCredential. Format: inboundSamlSsoProfiles/{sso_profile_id}
Deletes an IdpCredential.
Required. The resource name of the IdpCredential to delete. Format: inboundSamlSsoProfiles/{sso_profile_id}/idpCredentials/{idp_credential_id}
Gets an IdpCredential.
Required. The resource name of the IdpCredential to retrieve. Format: inboundSamlSsoProfiles/{sso_profile_id}/idpCredentials/{idp_credential_id}
Returns a list of IdpCredentials in an InboundSamlSsoProfile.
Required. The parent, which owns this collection of IdpCredential
s. Format: inboundSamlSsoProfiles/{sso_profile_id}
Lists InboundSamlSsoProfiles for a customer.
Updates an InboundSamlSsoProfile.
Output only. Resource name of the SAML SSO profile.
Creates an InboundSsoAssignment for users and devices in a Customer
under a given Group
or OrgUnit
.
Deletes an InboundSsoAssignment. To disable SSO, Create (or Update) an
assignment that has sso_mode
== SSO_OFF
.
Required. The resource name of the InboundSsoAssignment to delete. Format: inboundSsoAssignments/{assignment}
Gets an InboundSsoAssignment.
Required. The resource name of the InboundSsoAssignment to fetch. Format: inboundSsoAssignments/{assignment}
Lists the InboundSsoAssignments for a Customer
.
Updates an InboundSsoAssignment. The body of this request is the
inbound_sso_assignment
field and the update_mask
is relative to that.
For example: a PATCH to
/v1/inboundSsoAssignments/0abcdefg1234567&update_mask=rank
with a body of
{ "rank": 1 }
moves that (presumably group-targeted) SSO assignment to
the highest priority and shifts any other group-targeted assignments down
in priority.
Output only. Resource name of the Inbound SSO Assignment.