condition property

String? condition

The condition associated with this role assignment.

Note: Feature is available to Enterprise Standard, Enterprise Plus, Google Workspace for Education Plus and Cloud Identity Premium customers. A RoleAssignment with the condition field set will only take effect when the resource being accessed meets the condition. If condition is empty, the role (role_id) is applied to the actor (assigned_to) at the scope (scope_type) unconditionally. Currently, the following conditions are supported: - To make the RoleAssignment only applicable to Security Groups: api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group' - To make the RoleAssignment not applicable to Security Groups: !api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.security']) && resource.type == 'cloudidentity.googleapis.com/Group' Currently, the condition strings have to be verbatim and they only work with the following [pre-built administrator roles](https://support.google.com/a/answer/2405986): - Groups Editor - Groups Reader The condition follows Cloud IAM condition syntax.

• To make the RoleAssignment not applicable to Locked Groups: !api.getAttribute('cloudidentity.googleapis.com/groups.labels', []).hasAny(['groups.locked']) && resource.type == 'cloudidentity.googleapis.com/Group' This condition can also be used in conjunction with a Security-related condition.

Optional.

Implementation

core.String? condition;