package google.privacy.dlp.v2

Get desktop application:
View/edit binary Protocol Buffers messages

The Cloud Data Loss Prevention (DLP) API is a service that allows clients to detect the presence of Personally Identifiable Information (PII) and other privacy-sensitive data in user-supplied, unstructured data streams, like text blocks or images. The service also includes methods for sensitive data redaction and scheduling of data scans on Google Cloud Platform based data sets. To learn more about concepts and find how-to guides see https://cloud.google.com/dlp/docs/.

• rpc InspectContent (InspectContentRequest, InspectContentResponse)

  dlp.proto:61

  Finds potentially sensitive info in content. This method has limits on input size, processing time, and output size. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. For how to guides, see https://cloud.google.com/dlp/docs/inspecting-images and https://cloud.google.com/dlp/docs/inspecting-text,

  message InspectContentRequest

  dlp.proto:951

  Request to search for potentially sensitive info in a ContentItem.

  • string parent = 1

    The parent resource name, for example projects/my-project-id.

  • optional InspectConfig inspect_config = 2

    Configuration for the inspector. What specified here will override the template referenced by the inspect_template_name argument.

  • optional ContentItem item = 3

    The item to inspect.

  • string inspect_template_name = 4

    Optional template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

  message InspectContentResponse

  dlp.proto:971

  Results of inspecting an item.

  • optional InspectResult result = 1

    The findings.

• rpc RedactImage (RedactImageRequest, RedactImageResponse)

  dlp.proto:76

  Redacts potentially sensitive info from an image. This method has limits on input size, processing time, and output size. See https://cloud.google.com/dlp/docs/redacting-sensitive-data-images to learn more. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.

  message RedactImageRequest

  dlp.proto:797

  Request to search for potentially sensitive info in an image and redact it by covering it with a colored rectangle.

  • string parent = 1

    The parent resource name, for example projects/my-project-id.

  • optional InspectConfig inspect_config = 2

    Configuration for the inspector.

  • repeated RedactImageRequest.ImageRedactionConfig image_redaction_configs = 5

    The configuration for specifying what content to redact from images.

  • bool include_findings = 6

    Whether the response should include findings along with the redacted image.

  • optional ByteContentItem byte_item = 7

    The content must be PNG, JPEG, SVG or BMP.

  message RedactImageResponse

  dlp.proto:848

  Results of redacting an image.

  • bytes redacted_image = 1

    The redacted image. The type will be the same as the original image.

  • string extracted_text = 2

    If an image was being inspected and the InspectConfig's include_quote was set to true, then this field will include all text, if any, that was found in the image.

  • optional InspectResult inspect_result = 3

    The findings. Populated when include_findings in the request is true.

• rpc DeidentifyContent (DeidentifyContentRequest, DeidentifyContentResponse)

  dlp.proto:91

  De-identifies potentially sensitive info from a ContentItem. This method has limits on input size and output size. See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to learn more. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.

  message DeidentifyContentRequest

  dlp.proto:862

  Request to de-identify a list of items.

  • string parent = 1

    The parent resource name, for example projects/my-project-id.

  • optional DeidentifyConfig deidentify_config = 2

    Configuration for the de-identification of the content item. Items specified here will override the template referenced by the deidentify_template_name argument.

  • optional InspectConfig inspect_config = 3

    Configuration for the inspector. Items specified here will override the template referenced by the inspect_template_name argument.

  • optional ContentItem item = 4

    The item to de-identify. Will be treated as text.

  • string inspect_template_name = 5

    Optional template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

  • string deidentify_template_name = 6

    Optional template to use. Any configuration directly specified in deidentify_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

  message DeidentifyContentResponse

  dlp.proto:895

  Results of de-identifying a ContentItem.

  • optional ContentItem item = 1

    The de-identified item.

  • optional TransformationOverview overview = 2

    An overview of the changes that were made on the `item`.

• rpc ReidentifyContent (ReidentifyContentRequest, ReidentifyContentResponse)

  dlp.proto:102

  Re-identifies content that has been de-identified. See https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example to learn more.

  message ReidentifyContentRequest

  dlp.proto:904

  Request to re-identify an item.

  • string parent = 1

    The parent resource name.

  • optional DeidentifyConfig reidentify_config = 2

    Configuration for the re-identification of the content item. This field shares the same proto message type that is used for de-identification, however its usage here is for the reversal of the previous de-identification. Re-identification is performed by examining the transformations used to de-identify the items and executing the reverse. This requires that only reversible transformations be provided here. The reversible transformations are: - `CryptoReplaceFfxFpeConfig`

  • optional InspectConfig inspect_config = 3

    Configuration for the inspector.

  • optional ContentItem item = 4

    The item to re-identify. Will be treated as text.

  • string inspect_template_name = 5

    Optional template to use. Any configuration directly specified in `inspect_config` will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

  • string reidentify_template_name = 6

    Optional template to use. References an instance of `DeidentifyTemplate`. Any configuration directly specified in `reidentify_config` or `inspect_config` will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

  message ReidentifyContentResponse

  dlp.proto:942

  Results of re-identifying a item.

  • optional ContentItem item = 1

    The re-identified item.

  • optional TransformationOverview overview = 2

    An overview of the changes that were made to the `item`.

• rpc ListInfoTypes (ListInfoTypesRequest, ListInfoTypesResponse)

  dlp.proto:112

  Returns a list of the sensitive information types that the DLP API supports. See https://cloud.google.com/dlp/docs/infotypes-reference to learn more.

  message ListInfoTypesRequest

  dlp.proto:1085

  Request for the list of infoTypes.

  • string language_code = 1

    Optional BCP-47 language code for localized infoType friendly names. If omitted, or if localized strings are not available, en-US strings will be returned.

  • string filter = 2

    Optional filter to only return infoTypes supported by certain parts of the API. Defaults to supported_by=INSPECT.

  message ListInfoTypesResponse

  dlp.proto:1097

  Response to the ListInfoTypes request.

  • repeated InfoTypeDescription info_types = 1

    Set of sensitive infoTypes.

• rpc CreateInspectTemplate (CreateInspectTemplateRequest, InspectTemplate)

  dlp.proto:121

  Creates an InspectTemplate for re-using frequently used configuration for inspecting content, images, and storage. See https://cloud.google.com/dlp/docs/creating-templates to learn more.

  message CreateInspectTemplateRequest

  dlp.proto:2522

  Request message for CreateInspectTemplate.

  • string parent = 1

    The parent resource name, for example projects/my-project-id or organizations/my-org-id.

  • optional InspectTemplate inspect_template = 2

    The InspectTemplate to create.

  • string template_id = 3

    The template id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: `[a-zA-Z\\d-_]+`. The maximum length is 100 characters. Can be empty to allow the system to generate one.

• rpc UpdateInspectTemplate (UpdateInspectTemplateRequest, InspectTemplate)

  dlp.proto:134

  Updates the InspectTemplate. See https://cloud.google.com/dlp/docs/creating-templates to learn more.

  message UpdateInspectTemplateRequest

  dlp.proto:2538

  Request message for UpdateInspectTemplate.

  • string name = 1

    Resource name of organization and inspectTemplate to be updated, for example `organizations/433245324/inspectTemplates/432452342` or projects/project-id/inspectTemplates/432452342.

  • optional InspectTemplate inspect_template = 2

    New InspectTemplate value.

  • optional protobuf.FieldMask update_mask = 3

    Mask to control which fields get updated.

• rpc GetInspectTemplate (GetInspectTemplateRequest, InspectTemplate)

  dlp.proto:147

  Gets an InspectTemplate. See https://cloud.google.com/dlp/docs/creating-templates to learn more.

  message GetInspectTemplateRequest

  dlp.proto:2552

  Request message for GetInspectTemplate.

  • string name = 1

    Resource name of the organization and inspectTemplate to be read, for example `organizations/433245324/inspectTemplates/432452342` or projects/project-id/inspectTemplates/432452342.

• rpc ListInspectTemplates (ListInspectTemplatesRequest, ListInspectTemplatesResponse)

  dlp.proto:158

  Lists InspectTemplates. See https://cloud.google.com/dlp/docs/creating-templates to learn more.

  message ListInspectTemplatesRequest

  dlp.proto:2560

  Request message for ListInspectTemplates.

  • string parent = 1

    The parent resource name, for example projects/my-project-id or organizations/my-org-id.

  • string page_token = 2

    Optional page token to continue retrieval. Comes from previous call to `ListInspectTemplates`.

  • int32 page_size = 3

    Optional size of the page, can be limited by server. If zero server returns a page of max size 100.

  • string order_by = 4

    Optional comma separated list of fields to order by, followed by `asc` or `desc` postfix. This list is case-insensitive, default sorting order is ascending, redundant space characters are insignificant. Example: `name asc,update_time, create_time desc` Supported fields are: - `create_time`: corresponds to time the template was created. - `update_time`: corresponds to time the template was last updated. - `name`: corresponds to template's name. - `display_name`: corresponds to template's display name.

  message ListInspectTemplatesResponse

  dlp.proto:2590

  Response message for ListInspectTemplates.

  • repeated InspectTemplate inspect_templates = 1

    List of inspectTemplates, up to page_size in ListInspectTemplatesRequest.

  • string next_page_token = 2

    If the next page is available then the next page token to be used in following ListInspectTemplates request.

• rpc DeleteInspectTemplate (DeleteInspectTemplateRequest, protobuf.Empty)

  dlp.proto:169

  Deletes an InspectTemplate. See https://cloud.google.com/dlp/docs/creating-templates to learn more.

  message DeleteInspectTemplateRequest

  dlp.proto:2600

  Request message for DeleteInspectTemplate.

  • string name = 1

    Resource name of the organization and inspectTemplate to be deleted, for example `organizations/433245324/inspectTemplates/432452342` or projects/project-id/inspectTemplates/432452342.

• rpc CreateDeidentifyTemplate (CreateDeidentifyTemplateRequest, DeidentifyTemplate)

  dlp.proto:182

  Creates a DeidentifyTemplate for re-using frequently used configuration for de-identifying content, images, and storage. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.

  message CreateDeidentifyTemplateRequest

  dlp.proto:2929

  Request message for CreateDeidentifyTemplate.

  • string parent = 1

    The parent resource name, for example projects/my-project-id or organizations/my-org-id.

  • optional DeidentifyTemplate deidentify_template = 2

    The DeidentifyTemplate to create.

  • string template_id = 3

    The template id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: `[a-zA-Z\\d-_]+`. The maximum length is 100 characters. Can be empty to allow the system to generate one.

• rpc UpdateDeidentifyTemplate (UpdateDeidentifyTemplateRequest, DeidentifyTemplate)

  dlp.proto:196

  Updates the DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.

  message UpdateDeidentifyTemplateRequest

  dlp.proto:2945

  Request message for UpdateDeidentifyTemplate.

  • string name = 1

    Resource name of organization and deidentify template to be updated, for example `organizations/433245324/deidentifyTemplates/432452342` or projects/project-id/deidentifyTemplates/432452342.

  • optional DeidentifyTemplate deidentify_template = 2

    New DeidentifyTemplate value.

  • optional protobuf.FieldMask update_mask = 3

    Mask to control which fields get updated.

• rpc GetDeidentifyTemplate (GetDeidentifyTemplateRequest, DeidentifyTemplate)

  dlp.proto:210

  Gets a DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.

  message GetDeidentifyTemplateRequest

  dlp.proto:2959

  Request message for GetDeidentifyTemplate.

  • string name = 1

    Resource name of the organization and deidentify template to be read, for example `organizations/433245324/deidentifyTemplates/432452342` or projects/project-id/deidentifyTemplates/432452342.

• rpc ListDeidentifyTemplates (ListDeidentifyTemplatesRequest, ListDeidentifyTemplatesResponse)

  dlp.proto:222

  Lists DeidentifyTemplates. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.

  message ListDeidentifyTemplatesRequest

  dlp.proto:2967

  Request message for ListDeidentifyTemplates.

  • string parent = 1

    The parent resource name, for example projects/my-project-id or organizations/my-org-id.

  • string page_token = 2

    Optional page token to continue retrieval. Comes from previous call to `ListDeidentifyTemplates`.

  • int32 page_size = 3

    Optional size of the page, can be limited by server. If zero server returns a page of max size 100.

  • string order_by = 4

    Optional comma separated list of fields to order by, followed by `asc` or `desc` postfix. This list is case-insensitive, default sorting order is ascending, redundant space characters are insignificant. Example: `name asc,update_time, create_time desc` Supported fields are: - `create_time`: corresponds to time the template was created. - `update_time`: corresponds to time the template was last updated. - `name`: corresponds to template's name. - `display_name`: corresponds to template's display name.

  message ListDeidentifyTemplatesResponse

  dlp.proto:2997

  Response message for ListDeidentifyTemplates.

  • repeated DeidentifyTemplate deidentify_templates = 1

    List of deidentify templates, up to page_size in ListDeidentifyTemplatesRequest.

  • string next_page_token = 2

    If the next page is available then the next page token to be used in following ListDeidentifyTemplates request.

• rpc DeleteDeidentifyTemplate (DeleteDeidentifyTemplateRequest, protobuf.Empty)

  dlp.proto:234

  Deletes a DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.

  message DeleteDeidentifyTemplateRequest

  dlp.proto:3008

  Request message for DeleteDeidentifyTemplate.

  • string name = 1

    Resource name of the organization and deidentify template to be deleted, for example `organizations/433245324/deidentifyTemplates/432452342` or projects/project-id/deidentifyTemplates/432452342.

• rpc CreateJobTrigger (CreateJobTriggerRequest, JobTrigger)

  dlp.proto:246

  Creates a job trigger to run DLP actions such as scanning storage for sensitive information on a set schedule. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.

  message CreateJobTriggerRequest

  dlp.proto:2608

  Request message for CreateJobTrigger.

  • string parent = 1

    The parent resource name, for example projects/my-project-id.

  • optional JobTrigger job_trigger = 2

    The JobTrigger to create.

  • string trigger_id = 3

    The trigger id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: `[a-zA-Z\\d-_]+`. The maximum length is 100 characters. Can be empty to allow the system to generate one.

• rpc UpdateJobTrigger (UpdateJobTriggerRequest, JobTrigger)

  dlp.proto:255

  Updates a job trigger. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.

  message UpdateJobTriggerRequest

  dlp.proto:2630

  Request message for UpdateJobTrigger.

  • string name = 1

    Resource name of the project and the triggeredJob, for example `projects/dlp-test-project/jobTriggers/53234423`.

  • optional JobTrigger job_trigger = 2

    New JobTrigger value.

  • optional protobuf.FieldMask update_mask = 3

    Mask to control which fields get updated.

• rpc GetJobTrigger (GetJobTriggerRequest, JobTrigger)

  dlp.proto:264

  Gets a job trigger. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.

  message GetJobTriggerRequest

  dlp.proto:2643

  Request message for GetJobTrigger.

  • string name = 1

    Resource name of the project and the triggeredJob, for example `projects/dlp-test-project/jobTriggers/53234423`.

• rpc ListJobTriggers (ListJobTriggersRequest, ListJobTriggersResponse)

  dlp.proto:272

  Lists job triggers. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.

  message ListJobTriggersRequest

  dlp.proto:2671

  Request message for ListJobTriggers.

  • string parent = 1

    The parent resource name, for example `projects/my-project-id`.

  • string page_token = 2

    Optional page token to continue retrieval. Comes from previous call to ListJobTriggers. `order_by` field must not change for subsequent calls.

  • int32 page_size = 3

    Optional size of the page, can be limited by a server.

  • string order_by = 4

    Optional comma separated list of triggeredJob fields to order by, followed by `asc` or `desc` postfix. This list is case-insensitive, default sorting order is ascending, redundant space characters are insignificant. Example: `name asc,update_time, create_time desc` Supported fields are: - `create_time`: corresponds to time the JobTrigger was created. - `update_time`: corresponds to time the JobTrigger was last updated. - `last_run_time`: corresponds to the last time the JobTrigger ran. - `name`: corresponds to JobTrigger's name. - `display_name`: corresponds to JobTrigger's display name. - `status`: corresponds to JobTrigger's status.

  • string filter = 5

    Optional. Allows filtering. Supported syntax: * Filter expressions are made up of one or more restrictions. * Restrictions can be combined by `AND` or `OR` logical operators. A sequence of restrictions implicitly uses `AND`. * A restriction has the form of `<field> <operator> <value>`. * Supported fields/values for inspect jobs: - `status` - HEALTHY|PAUSED|CANCELLED - `inspected_storage` - DATASTORE|CLOUD_STORAGE|BIGQUERY - 'last_run_time` - RFC 3339 formatted timestamp, surrounded by quotation marks. Nanoseconds are ignored. - 'error_count' - Number of errors that have occurred while running. * The operator must be `=` or `!=` for status and inspected_storage. Examples: * inspected_storage = cloud_storage AND status = HEALTHY * inspected_storage = cloud_storage OR inspected_storage = bigquery * inspected_storage = cloud_storage AND (state = PAUSED OR state = HEALTHY) * last_run_time > \"2017-12-12T00:00:00+00:00\" The length of this field should be no more than 500 characters.

  message ListJobTriggersResponse

  dlp.proto:2728

  Response message for ListJobTriggers.

  • repeated JobTrigger job_triggers = 1

    List of triggeredJobs, up to page_size in ListJobTriggersRequest.

  • string next_page_token = 2

    If the next page is available then the next page token to be used in following ListJobTriggers request.

• rpc DeleteJobTrigger (DeleteJobTriggerRequest, protobuf.Empty)

  dlp.proto:280

  Deletes a job trigger. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.

  message DeleteJobTriggerRequest

  dlp.proto:2738

  Request message for DeleteJobTrigger.

  • string name = 1

    Resource name of the project and the triggeredJob, for example `projects/dlp-test-project/jobTriggers/53234423`.

• rpc ActivateJobTrigger (ActivateJobTriggerRequest, DlpJob)

  dlp.proto:288

  Activate a job trigger. Causes the immediate execute of a trigger instead of waiting on the trigger event to occur.

  message ActivateJobTriggerRequest

  dlp.proto:2623

  Request message for ActivateJobTrigger.

  • string name = 1

    Resource name of the trigger to activate, for example `projects/dlp-test-project/jobTriggers/53234423`.

• rpc CreateDlpJob (CreateDlpJobRequest, DlpJob)

  dlp.proto:302

  Creates a new job to inspect storage or calculate risk metrics. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more. When no InfoTypes or CustomInfoTypes are specified in inspect jobs, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.

  message CreateDlpJobRequest

  dlp.proto:2652

  Request message for CreateDlpJobRequest. Used to initiate long running jobs such as calculating risk metrics or inspecting Google Cloud Storage.

  • string parent = 1

    The parent resource name, for example projects/my-project-id.

  • oneof job

    The configuration details for the specific type of job to run.

    • InspectJobConfig inspect_job = 2

    • RiskAnalysisJobConfig risk_job = 3

  • string job_id = 4

    The job id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: `[a-zA-Z\\d-_]+`. The maximum length is 100 characters. Can be empty to allow the system to generate one.

• rpc ListDlpJobs (ListDlpJobsRequest, ListDlpJobsResponse)

  dlp.proto:312

  Lists DlpJobs that match the specified filter in the request. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.

  message ListDlpJobsRequest

  dlp.proto:2848

  The request message for listing DLP jobs.

  • string parent = 4

    The parent resource name, for example projects/my-project-id.

  • string filter = 1

    Optional. Allows filtering. Supported syntax: * Filter expressions are made up of one or more restrictions. * Restrictions can be combined by `AND` or `OR` logical operators. A sequence of restrictions implicitly uses `AND`. * A restriction has the form of `<field> <operator> <value>`. * Supported fields/values for inspect jobs: - `state` - PENDING|RUNNING|CANCELED|FINISHED|FAILED - `inspected_storage` - DATASTORE|CLOUD_STORAGE|BIGQUERY - `trigger_name` - The resource name of the trigger that created job. - 'end_time` - Corresponds to time the job finished. - 'start_time` - Corresponds to time the job finished. * Supported fields for risk analysis jobs: - `state` - RUNNING|CANCELED|FINISHED|FAILED - 'end_time` - Corresponds to time the job finished. - 'start_time` - Corresponds to time the job finished. * The operator must be `=` or `!=`. Examples: * inspected_storage = cloud_storage AND state = done * inspected_storage = cloud_storage OR inspected_storage = bigquery * inspected_storage = cloud_storage AND (state = done OR state = canceled) * end_time > \"2017-12-12T00:00:00+00:00\" The length of this field should be no more than 500 characters.

  • int32 page_size = 2

    The standard list page size.

  • string page_token = 3

    The standard list page token.

  • DlpJobType type = 5

    The type of job. Defaults to `DlpJobType.INSPECT`

  • string order_by = 6

    Optional comma separated list of fields to order by, followed by `asc` or `desc` postfix. This list is case-insensitive, default sorting order is ascending, redundant space characters are insignificant. Example: `name asc, end_time asc, create_time desc` Supported fields are: - `create_time`: corresponds to time the job was created. - `end_time`: corresponds to time the job ended. - `name`: corresponds to job's name. - `state`: corresponds to `state`

  message ListDlpJobsResponse

  dlp.proto:2908

  The response message for listing DLP jobs.

  • repeated DlpJob jobs = 1

    A list of DlpJobs that matches the specified filter in the request.

  • string next_page_token = 2

    The standard List next-page token.

• rpc GetDlpJob (GetDlpJobRequest, DlpJob)

  dlp.proto:321

  Gets the latest state of a long-running DlpJob. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.

  message GetDlpJobRequest

  dlp.proto:2842

  The request message for [DlpJobs.GetDlpJob][].

  • string name = 1

    The name of the DlpJob resource.

• rpc DeleteDlpJob (DeleteDlpJobRequest, protobuf.Empty)

  dlp.proto:332

  Deletes a long-running DlpJob. This method indicates that the client is no longer interested in the DlpJob result. The job will be cancelled if possible. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.

  message DeleteDlpJobRequest

  dlp.proto:2923

  The request message for deleting a DLP job.

  • string name = 1

    The name of the DlpJob resource to be deleted.

• rpc CancelDlpJob (CancelDlpJobRequest, protobuf.Empty)

  dlp.proto:343

  Starts asynchronous cancellation on a long-running DlpJob. The server makes a best effort to cancel the DlpJob, but success is not guaranteed. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.

  message CancelDlpJobRequest

  dlp.proto:2917

  The request message for canceling a DLP job.

  • string name = 1

    The name of the DlpJob resource to be cancelled.

• rpc CreateStoredInfoType (CreateStoredInfoTypeRequest, StoredInfoType)

  dlp.proto:353

  Creates a pre-built stored infoType to be used for inspection. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.

  message CreateStoredInfoTypeRequest

  dlp.proto:3111

  Request message for CreateStoredInfoType.

  • string parent = 1

    The parent resource name, for example projects/my-project-id or organizations/my-org-id.

  • optional StoredInfoTypeConfig config = 2

    Configuration of the storedInfoType to create.

  • string stored_info_type_id = 3

    The storedInfoType ID can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: `[a-zA-Z\\d-_]+`. The maximum length is 100 characters. Can be empty to allow the system to generate one.

• rpc UpdateStoredInfoType (UpdateStoredInfoTypeRequest, StoredInfoType)

  dlp.proto:368

  Updates the stored infoType by creating a new version. The existing version will continue to be used until the new version is ready. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.

  message UpdateStoredInfoTypeRequest

  dlp.proto:3127

  Request message for UpdateStoredInfoType.

  • string name = 1

    Resource name of organization and storedInfoType to be updated, for example `organizations/433245324/storedInfoTypes/432452342` or projects/project-id/storedInfoTypes/432452342.

  • optional StoredInfoTypeConfig config = 2

    Updated configuration for the storedInfoType. If not provided, a new version of the storedInfoType will be created with the existing configuration.

  • optional protobuf.FieldMask update_mask = 3

    Mask to control which fields get updated.

• rpc GetStoredInfoType (GetStoredInfoTypeRequest, StoredInfoType)

  dlp.proto:382

  Gets a stored infoType. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.

  message GetStoredInfoTypeRequest

  dlp.proto:3143

  Request message for GetStoredInfoType.

  • string name = 1

    Resource name of the organization and storedInfoType to be read, for example `organizations/433245324/storedInfoTypes/432452342` or projects/project-id/storedInfoTypes/432452342.

• rpc ListStoredInfoTypes (ListStoredInfoTypesRequest, ListStoredInfoTypesResponse)

  dlp.proto:394

  Lists stored infoTypes. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.

  message ListStoredInfoTypesRequest

  dlp.proto:3151

  Request message for ListStoredInfoTypes.

  • string parent = 1

    The parent resource name, for example projects/my-project-id or organizations/my-org-id.

  • string page_token = 2

    Optional page token to continue retrieval. Comes from previous call to `ListStoredInfoTypes`.

  • int32 page_size = 3

    Optional size of the page, can be limited by server. If zero server returns a page of max size 100.

  • string order_by = 4

    Optional comma separated list of fields to order by, followed by `asc` or `desc` postfix. This list is case-insensitive, default sorting order is ascending, redundant space characters are insignificant. Example: `name asc, display_name, create_time desc` Supported fields are: - `create_time`: corresponds to time the most recent version of the resource was created. - `state`: corresponds to the state of the resource. - `name`: corresponds to resource name. - `display_name`: corresponds to info type's display name.

  message ListStoredInfoTypesResponse

  dlp.proto:3182

  Response message for ListStoredInfoTypes.

  • repeated StoredInfoType stored_info_types = 1

    List of storedInfoTypes, up to page_size in ListStoredInfoTypesRequest.

  • string next_page_token = 2

    If the next page is available then the next page token to be used in following ListStoredInfoTypes request.

• rpc DeleteStoredInfoType (DeleteStoredInfoTypeRequest, protobuf.Empty)

  dlp.proto:406

  Deletes a stored infoType. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.

  message DeleteStoredInfoTypeRequest

  dlp.proto:3192

  Request message for DeleteStoredInfoType.

  • string name = 1

    Resource name of the organization and storedInfoType to be deleted, for example `organizations/433245324/storedInfoTypes/432452342` or projects/project-id/storedInfoTypes/432452342.

A task to execute on the completion of a job. See https://cloud.google.com/dlp/docs/concepts-actions to learn more.

Used in: InspectJobConfig, RiskAnalysisJobConfig

• oneof action

  • Action.SaveFindings save_findings = 1

    Save resulting findings in a provided location.

  • Action.PublishToPubSub pub_sub = 2

    Publish a notification to a pubsub topic.

  • Action.PublishSummaryToCscc publish_summary_to_cscc = 3

    Publish summary to Cloud Security Command Center (Alpha).

  • Action.PublishFindingsToCloudDataCatalog publish_findings_to_cloud_data_catalog = 5

    Publish findings to Cloud Datahub.

  • Action.JobNotificationEmails job_notification_emails = 8

    Enable email notification to project owners and editors on job's completion/failure.

Enable email notification to project owners and editors on jobs's completion/failure.

Used in: Action

(message has no fields)

Publish findings of a DlpJob to Cloud Data Catalog. Labels summarizing the results of the DlpJob will be applied to the entry for the resource scanned in Cloud Data Catalog. Any labels previously written by another DlpJob will be deleted. InfoType naming patterns are strictly enforced when using this feature. Note that the findings will be persisted in Cloud Data Catalog storage and are governed by Data Catalog service-specific policy, see https://cloud.google.com/terms/service-terms Only a single instance of this action can be specified and only allowed if all resources being scanned are BigQuery tables. Compatible with: Inspect

Used in: Action

(message has no fields)

Publish the result summary of a DlpJob to the Cloud Security Command Center (CSCC Alpha). This action is only available for projects which are parts of an organization and whitelisted for the alpha Cloud Security Command Center. The action will publish count of finding instances and their info types. The summary of findings will be persisted in CSCC and are governed by CSCC service-specific policy, see https://cloud.google.com/terms/service-terms Only a single instance of this action can be specified. Compatible with: Inspect

Used in: Action

(message has no fields)

Publish a message into given Pub/Sub topic when DlpJob has completed. The message contains a single field, `DlpJobName`, which is equal to the finished job's [`DlpJob.name`](/dlp/docs/reference/rest/v2/projects.dlpJobs#DlpJob). Compatible with: Inspect, Risk

Used in: Action

• string topic = 1

  Cloud Pub/Sub topic to send notifications to. The topic must have given publishing access rights to the DLP API service account executing the long running DlpJob sending the notifications. Format is projects/{project}/topics/{topic}.

If set, the detailed findings will be persisted to the specified OutputStorageConfig. Only a single instance of this action can be specified. Compatible with: Inspect, Risk

Used in: Action

• optional OutputStorageConfig output_config = 1

Result of a risk analysis operation request.

Used in: DlpJob

• optional PrivacyMetric requested_privacy_metric = 1

  Privacy metric to compute.

• optional BigQueryTable requested_source_table = 2

  Input dataset to compute metrics over.

• oneof result

  Values associated with this metric.

  • AnalyzeDataSourceRiskDetails.NumericalStatsResult numerical_stats_result = 3

  • AnalyzeDataSourceRiskDetails.CategoricalStatsResult categorical_stats_result = 4

  • AnalyzeDataSourceRiskDetails.KAnonymityResult k_anonymity_result = 5

  • AnalyzeDataSourceRiskDetails.LDiversityResult l_diversity_result = 6

  • AnalyzeDataSourceRiskDetails.KMapEstimationResult k_map_estimation_result = 7

  • AnalyzeDataSourceRiskDetails.DeltaPresenceEstimationResult delta_presence_estimation_result = 9

Result of the categorical stats computation.

Used in: AnalyzeDataSourceRiskDetails

• repeated CategoricalStatsResult.CategoricalStatsHistogramBucket value_frequency_histogram_buckets = 5

  Histogram of value frequencies in the column.

Used in: CategoricalStatsResult

• int64 value_frequency_lower_bound = 1

  Lower bound on the value frequency of the values in this bucket.

• int64 value_frequency_upper_bound = 2

  Upper bound on the value frequency of the values in this bucket.

• int64 bucket_size = 3

  Total number of values in this bucket.

• repeated ValueFrequency bucket_values = 4

  Sample of value frequencies in this bucket. The total number of values returned per bucket is capped at 20.

• int64 bucket_value_count = 5

  Total number of distinct values in this bucket.

Result of the δ-presence computation. Note that these results are an estimation, not exact values.

Used in: AnalyzeDataSourceRiskDetails

• repeated DeltaPresenceEstimationResult.DeltaPresenceEstimationHistogramBucket delta_presence_estimation_histogram = 1

  The intervals [min_probability, max_probability) do not overlap. If a value doesn't correspond to any such interval, the associated frequency is zero. For example, the following records: {min_probability: 0, max_probability: 0.1, frequency: 17} {min_probability: 0.2, max_probability: 0.3, frequency: 42} {min_probability: 0.3, max_probability: 0.4, frequency: 99} mean that there are no record with an estimated probability in [0.1, 0.2) nor larger or equal to 0.4.

A DeltaPresenceEstimationHistogramBucket message with the following values: min_probability: 0.1 max_probability: 0.2 frequency: 42 means that there are 42 records for which δ is in [0.1, 0.2). An important particular case is when min_probability = max_probability = 1: then, every individual who shares this quasi-identifier combination is in the dataset.

Used in: DeltaPresenceEstimationResult

• double min_probability = 1

  Between 0 and 1.

• double max_probability = 2

  Always greater than or equal to min_probability.

• int64 bucket_size = 5

  Number of records within these probability bounds.

• repeated DeltaPresenceEstimationQuasiIdValues bucket_values = 6

  Sample of quasi-identifier tuple values in this bucket. The total number of classes returned per bucket is capped at 20.

• int64 bucket_value_count = 7

  Total number of distinct quasi-identifier tuple values in this bucket.

A tuple of values for the quasi-identifier columns.

Used in: DeltaPresenceEstimationHistogramBucket

• repeated Value quasi_ids_values = 1

  The quasi-identifier values.

• double estimated_probability = 2

  The estimated probability that a given individual sharing these quasi-identifier values is in the dataset. This value, typically called δ, is the ratio between the number of records in the dataset with these quasi-identifier values, and the total number of individuals (inside *and* outside the dataset) with these quasi-identifier values. For example, if there are 15 individuals in the dataset who share the same quasi-identifier values, and an estimated 100 people in the entire population with these values, then δ is 0.15.

Result of the k-anonymity computation.

Used in: AnalyzeDataSourceRiskDetails

• repeated KAnonymityResult.KAnonymityHistogramBucket equivalence_class_histogram_buckets = 5

  Histogram of k-anonymity equivalence classes.

The set of columns' values that share the same ldiversity value

Used in: KAnonymityHistogramBucket

• repeated Value quasi_ids_values = 1

  Set of values defining the equivalence class. One value per quasi-identifier column in the original KAnonymity metric message. The order is always the same as the original request.

• int64 equivalence_class_size = 2

  Size of the equivalence class, for example number of rows with the above set of values.

Used in: KAnonymityResult

• int64 equivalence_class_size_lower_bound = 1

  Lower bound on the size of the equivalence classes in this bucket.

• int64 equivalence_class_size_upper_bound = 2

  Upper bound on the size of the equivalence classes in this bucket.

• int64 bucket_size = 3

  Total number of equivalence classes in this bucket.

• repeated KAnonymityEquivalenceClass bucket_values = 4

  Sample of equivalence classes in this bucket. The total number of classes returned per bucket is capped at 20.

• int64 bucket_value_count = 5

  Total number of distinct equivalence classes in this bucket.

Result of the reidentifiability analysis. Note that these results are an estimation, not exact values.

Used in: AnalyzeDataSourceRiskDetails

• repeated KMapEstimationResult.KMapEstimationHistogramBucket k_map_estimation_histogram = 1

  The intervals [min_anonymity, max_anonymity] do not overlap. If a value doesn't correspond to any such interval, the associated frequency is zero. For example, the following records: {min_anonymity: 1, max_anonymity: 1, frequency: 17} {min_anonymity: 2, max_anonymity: 3, frequency: 42} {min_anonymity: 5, max_anonymity: 10, frequency: 99} mean that there are no record with an estimated anonymity of 4, 5, or larger than 10.

A KMapEstimationHistogramBucket message with the following values: min_anonymity: 3 max_anonymity: 5 frequency: 42 means that there are 42 records whose quasi-identifier values correspond to 3, 4 or 5 people in the overlying population. An important particular case is when min_anonymity = max_anonymity = 1: the frequency field then corresponds to the number of uniquely identifiable records.

Used in: KMapEstimationResult

• int64 min_anonymity = 1

  Always positive.

• int64 max_anonymity = 2

  Always greater than or equal to min_anonymity.

• int64 bucket_size = 5

  Number of records within these anonymity bounds.

• repeated KMapEstimationQuasiIdValues bucket_values = 6

  Sample of quasi-identifier tuple values in this bucket. The total number of classes returned per bucket is capped at 20.

• int64 bucket_value_count = 7

  Total number of distinct quasi-identifier tuple values in this bucket.

A tuple of values for the quasi-identifier columns.

Used in: KMapEstimationHistogramBucket

• repeated Value quasi_ids_values = 1

  The quasi-identifier values.

• int64 estimated_anonymity = 2

  The estimated anonymity for these quasi-identifier values.

Result of the l-diversity computation.

Used in: AnalyzeDataSourceRiskDetails

• repeated LDiversityResult.LDiversityHistogramBucket sensitive_value_frequency_histogram_buckets = 5

  Histogram of l-diversity equivalence class sensitive value frequencies.

The set of columns' values that share the same ldiversity value.

Used in: LDiversityHistogramBucket

• repeated Value quasi_ids_values = 1

  Quasi-identifier values defining the k-anonymity equivalence class. The order is always the same as the original request.

• int64 equivalence_class_size = 2

  Size of the k-anonymity equivalence class.

• int64 num_distinct_sensitive_values = 3

  Number of distinct sensitive values in this equivalence class.

• repeated ValueFrequency top_sensitive_values = 4

  Estimated frequencies of top sensitive values.

Used in: LDiversityResult

• int64 sensitive_value_frequency_lower_bound = 1

  Lower bound on the sensitive value frequencies of the equivalence classes in this bucket.

• int64 sensitive_value_frequency_upper_bound = 2

  Upper bound on the sensitive value frequencies of the equivalence classes in this bucket.

• int64 bucket_size = 3

  Total number of equivalence classes in this bucket.

• repeated LDiversityEquivalenceClass bucket_values = 4

  Sample of equivalence classes in this bucket. The total number of classes returned per bucket is capped at 20.

• int64 bucket_value_count = 5

  Total number of distinct equivalence classes in this bucket.

Result of the numerical stats computation.

Used in: AnalyzeDataSourceRiskDetails

• optional Value min_value = 1

  Minimum value appearing in the column.

• optional Value max_value = 2

  Maximum value appearing in the column.

• repeated Value quantile_values = 4

  List of 99 values that partition the set of field values into 100 equal sized buckets.

Message defining a field of a BigQuery table.

Used in: LargeCustomDictionaryConfig

• optional BigQueryTable table = 1

  Source table of the field.

• optional FieldId field = 2

  Designated field in the BigQuery table.

Row key for identifying a record in BigQuery table.

Used in: RecordKey

• optional BigQueryTable table_reference = 1

  Complete BigQuery table reference.

• int64 row_number = 2

  Absolute number of the row from the beginning of the table at the time of scanning.

Options defining BigQuery table and row identifiers.

Used in: StorageConfig

• optional BigQueryTable table_reference = 1

  Complete BigQuery table reference.

• repeated FieldId identifying_fields = 2

  References to fields uniquely identifying rows within the table. Nested fields in the format, like `person.birthdate.year`, are allowed.

• int64 rows_limit = 3

  Max number of rows to scan. If the table has more rows than this value, the rest of the rows are omitted. If not set, or if set to 0, all rows will be scanned. Only one of rows_limit and rows_limit_percent can be specified. Cannot be used in conjunction with TimespanConfig.

• int32 rows_limit_percent = 6

  Max percentage of rows to scan. The rest are omitted. The number of rows scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0. Only one of rows_limit and rows_limit_percent can be specified. Cannot be used in conjunction with TimespanConfig.

• BigQueryOptions.SampleMethod sample_method = 4

• repeated FieldId excluded_fields = 5

  References to fields excluded from scanning. This allows you to skip inspection of entire columns which you know have no findings.

How to sample rows if not all rows are scanned. Meaningful only when used in conjunction with either rows_limit or rows_limit_percent. If not specified, scanning would start from the top.

Used in: BigQueryOptions

• SAMPLE_METHOD_UNSPECIFIED = 0

• TOP = 1

  Scan from the top (default).

• RANDOM_START = 2

  Randomly pick the row to start scanning. The scanned rows are contiguous.

Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: `<project_id>:<dataset_id>.<table_id>` or `<project_id>.<dataset_id>.<table_id>`.

Used in: AnalyzeDataSourceRiskDetails, BigQueryField, BigQueryKey, BigQueryOptions, OutputStorageConfig, PrivacyMetric.KMapEstimationConfig.AuxiliaryTable, RiskAnalysisJobConfig, StatisticalTable

• string project_id = 1

  The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call.

• string dataset_id = 2

  Dataset ID of the table.

• string table_id = 3

  Name of the table.

Bounding box encompassing detected text within an image.

Used in: ImageLocation

• int32 top = 1

  Top coordinate of the bounding box. (0,0) is upper left.

• int32 left = 2

  Left coordinate of the bounding box. (0,0) is upper left.

• int32 width = 3

  Width of the bounding box in pixels.

• int32 height = 4

  Height of the bounding box in pixels.

Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Used in: PrimitiveTransformation

• repeated BucketingConfig.Bucket buckets = 1

  Set of buckets. Ranges must be non-overlapping.

Bucket is represented as a range, along with replacement values.

Used in: BucketingConfig

• optional Value min = 1

  Lower bound of the range, inclusive. Type should be the same as max if used.

• optional Value max = 2

  Upper bound of the range, exclusive; type must match min.

• optional Value replacement_value = 3

  Replacement value for this bucket. If not provided the default behavior will be to hyphenate the min-max range.

Container for bytes to inspect or redact.

Used in: ContentItem, RedactImageRequest

• ByteContentItem.BytesType type = 1

  The type of data stored in the bytes string. Default will be TEXT_UTF8.

• bytes data = 2

  Content data to inspect or redact.

Used in: ByteContentItem

• BYTES_TYPE_UNSPECIFIED = 0

• IMAGE = 6

• IMAGE_JPEG = 1

• IMAGE_BMP = 2

• IMAGE_PNG = 3

• IMAGE_SVG = 4

• TEXT_UTF8 = 5

• AVRO = 11

Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3.

Used in: PrimitiveTransformation

• string masking_character = 1

  Character to mask the sensitive values&mdash;for example, "*" for an alphabetic string such as name, or "0" for a numeric string such as ZIP code or credit card number. String must have length 1. If not supplied, we will default to "*" for strings, 0 for digits.

• int32 number_to_mask = 2

  Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

• bool reverse_order = 3

  Mask characters in reverse order. For example, if `masking_character` is '0', number_to_mask is 14, and `reverse_order` is false, then 1234-5678-9012-3456 -> 00000000000000-3456 If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order` is true, then 12345 -> 12***

• repeated CharsToIgnore characters_to_ignore = 4

  When masking a string, items in this list will be skipped when replacing. For example, if your string is 555-555-5555 and you ask us to skip `-` and mask 5 chars with * we would produce ***-*55-5555.

Characters to skip when doing deidentification of a value. These will be left alone and skipped.

Used in: CharacterMaskConfig

• oneof characters

  • string characters_to_skip = 1

  • CharsToIgnore.CommonCharsToIgnore common_characters_to_ignore = 2

Used in: CharsToIgnore

• COMMON_CHARS_TO_IGNORE_UNSPECIFIED = 0

• NUMERIC = 1

  0-9

• ALPHA_UPPER_CASE = 2

  A-Z

• ALPHA_LOWER_CASE = 3

  a-z

• PUNCTUATION = 4

  US Punctuation, one of !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

• WHITESPACE = 5

  Whitespace character, one of [ \t\n\x0B\f\r]

Message representing a set of files in Cloud Storage.

Used in: LargeCustomDictionaryConfig

• string url = 1

  The url, in the format `gs://<bucket>/<path>`. Trailing wildcard in the path is allowed.

Options defining a file or a set of files within a Google Cloud Storage bucket.

Used in: StorageConfig

• optional CloudStorageOptions.FileSet file_set = 1

  The set of one or more files to scan.

• int64 bytes_limit_per_file = 4

  Max number of bytes to scan from a file. If a scanned file's size is bigger than this value then the rest of the bytes are omitted. Only one of bytes_limit_per_file and bytes_limit_per_file_percent can be specified.

• int32 bytes_limit_per_file_percent = 8

  Max percentage of bytes to scan from a file. The rest are omitted. The number of bytes scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0. Only one of bytes_limit_per_file and bytes_limit_per_file_percent can be specified.

• repeated FileType file_types = 5

  List of file type groups to include in the scan. If empty, all files are scanned and available data format processors are applied. In addition, the binary content of the selected files is always scanned as well.

• CloudStorageOptions.SampleMethod sample_method = 6

• int32 files_limit_percent = 7

  Limits the number of files to scan to this percentage of the input FileSet. Number of files scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0.

Set of files to scan.

Used in: CloudStorageOptions

• string url = 1

  The Cloud Storage url of the file(s) to scan, in the format `gs://<bucket>/<path>`. Trailing wildcard in the path is allowed. If the url ends in a trailing slash, the bucket or directory represented by the url will be scanned non-recursively (content in sub-directories will not be scanned). This means that `gs://mybucket/` is equivalent to `gs://mybucket/*`, and `gs://mybucket/directory/` is equivalent to `gs://mybucket/directory/*`. Exactly one of `url` or `regex_file_set` must be set.

• optional CloudStorageRegexFileSet regex_file_set = 2

  The regex-filtered set of files to scan. Exactly one of `url` or `regex_file_set` must be set.

How to sample bytes if not all bytes are scanned. Meaningful only when used in conjunction with bytes_limit_per_file. If not specified, scanning would start from the top.

Used in: CloudStorageOptions

• SAMPLE_METHOD_UNSPECIFIED = 0

• TOP = 1

  Scan from the top (default).

• RANDOM_START = 2

  For each file larger than bytes_limit_per_file, randomly pick the offset to start scanning. The scanned bytes are contiguous.

Message representing a single file or path in Cloud Storage.

Used in: CustomInfoType.Dictionary, LargeCustomDictionaryConfig

• string path = 1

  A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

Message representing a set of files in a Cloud Storage bucket. Regular expressions are used to allow fine-grained control over which files in the bucket to include. Included files are those that match at least one item in `include_regex` and do not match any items in `exclude_regex`. Note that a file that matches items from both lists will _not_ be included. For a match to occur, the entire file path (i.e., everything in the url after the bucket name) must match the regular expression. For example, given the input `{bucket_name: "mybucket", include_regex: ["directory1/.*"], exclude_regex: ["directory1/excluded.*"]}`: * `gs://mybucket/directory1/myfile` will be included * `gs://mybucket/directory1/directory2/myfile` will be included (`.*` matches across `/`) * `gs://mybucket/directory0/directory1/myfile` will _not_ be included (the full path doesn't match any items in `include_regex`) * `gs://mybucket/directory1/excludedfile` will _not_ be included (the path matches an item in `exclude_regex`) If `include_regex` is left empty, it will match all files by default (this is equivalent to setting `include_regex: [".*"]`). Some other common use cases: * `{bucket_name: "mybucket", exclude_regex: [".*\.pdf"]}` will include all files in `mybucket` except for .pdf files * `{bucket_name: "mybucket", include_regex: ["directory/[^/]+"]}` will include all files directly under `gs://mybucket/directory/`, without matching across `/`

Used in: CloudStorageOptions.FileSet

• string bucket_name = 1

  The name of a Cloud Storage bucket. Required.

• repeated string include_regex = 2

  A list of regular expressions matching file paths to include. All files in the bucket that match at least one of these regular expressions will be included in the set of files, except for those that also match an item in `exclude_regex`. Leaving this field empty will match all files by default (this is equivalent to including `.*` in the list). Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.

• repeated string exclude_regex = 3

  A list of regular expressions matching file paths to exclude. All files in the bucket that match at least one of these regular expressions will be excluded from the scan. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub.

Represents a color in the RGB color space.

Used in: RedactImageRequest.ImageRedactionConfig

• float red = 1

  The amount of red in the color as a value in the interval [0, 1].

• float green = 2

  The amount of green in the color as a value in the interval [0, 1].

• float blue = 3

  The amount of blue in the color as a value in the interval [0, 1].

Container structure for the content to inspect.

Used in: DeidentifyContentRequest, DeidentifyContentResponse, InspectContentRequest, ReidentifyContentRequest, ReidentifyContentResponse

• oneof data_item

  Data of the item either in the byte array or UTF-8 string form, or table.

  • string value = 3

    String data to inspect or redact.

  • Table table = 4

    Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

  • ByteContentItem byte_item = 5

    Content data to inspect or redact. Replaces `type` and `data`.

Findings container location data.

Used in: Location

• string container_name = 1

  Name of the container where the finding is located. The top level name is the source file name or table name. Names of some common storage containers are formatted as follows: * BigQuery tables: `<project_id>:<dataset_id>.<table_id>` * Cloud Storage files: `gs://<bucket>/<path>` * Datastore namespace: <namespace> Nested names could be absent if the embedded object has no string identifier (for an example an image contained within a document).

• oneof location

  Type of the container within the file with location of the finding.

  • RecordLocation record_location = 2

    Location within a row or record of a database table.

  • ImageLocation image_location = 3

    Location within an image's pixels.

  • DocumentLocation document_location = 5

    Location data for document files.

• optional protobuf.Timestamp container_timestamp = 6

  Findings container modification timestamp, if applicable. For Google Cloud Storage contains last file modification timestamp. For BigQuery table contains last_modified_time property. For Datastore - not populated.

• string container_version = 7

  Findings container version, if available ("generation" for Google Cloud Storage).

Options describing which parts of the provided content should be scanned.

Used in: InspectConfig

• CONTENT_UNSPECIFIED = 0

  Includes entire content of a file or a data stream.

• CONTENT_TEXT = 1

  Text content within the data, excluding any metadata.

• CONTENT_IMAGE = 2

  Images found in the data.

Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

Used in: PrimitiveTransformation

• optional CryptoKey crypto_key = 1

  The key used by the encryption function.

• optional InfoType surrogate_info_type = 2

  The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: <info type name>(<surrogate character count>):<surrogate> For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

• optional FieldId context = 3

  Optional. A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

Used in: PrimitiveTransformation

• optional CryptoKey crypto_key = 1

  The key used by the hash function.

This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key.

Used in: CryptoDeterministicConfig, CryptoHashConfig, CryptoReplaceFfxFpeConfig, DateShiftConfig

• oneof source

  • TransientCryptoKey transient = 1

  • UnwrappedCryptoKey unwrapped = 2

  • KmsWrappedCryptoKey kms_wrapped = 3

Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity.

Used in: PrimitiveTransformation

• optional CryptoKey crypto_key = 1

  The key used by the encryption algorithm. [required]

• optional FieldId context = 2

  The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

• oneof alphabet

  • CryptoReplaceFfxFpeConfig.FfxCommonNativeAlphabet common_alphabet = 4

  • string custom_alphabet = 5

    This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 62]. This must be encoded as ASCII. The order of characters does not matter.

  • int32 radix = 6

    The native way to select the alphabet. Must be in the range [2, 62].

• optional InfoType surrogate_info_type = 8

  The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

These are commonly used subsets of the alphabet that the FFX mode natively supports. In the algorithm, the alphabet is selected using the "radix". Therefore each corresponds to particular radix.

Used in: CryptoReplaceFfxFpeConfig

• FFX_COMMON_NATIVE_ALPHABET_UNSPECIFIED = 0

• NUMERIC = 1

  [0-9] (radix of 10)

• HEXADECIMAL = 2

  [0-9A-F] (radix of 16)

• UPPER_CASE_ALPHA_NUMERIC = 3

  [0-9A-Z] (radix of 36)

• ALPHA_NUMERIC = 4

  [0-9A-Za-z] (radix of 62)

Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question.

Used in: InspectConfig

• optional InfoType info_type = 1

  CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type.

• Likelihood likelihood = 6

  Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified.

• oneof type

  • CustomInfoType.Dictionary dictionary = 2

    A list of phrases to detect as a CustomInfoType.

  • CustomInfoType.Regex regex = 3

    Regular expression based CustomInfoType.

  • CustomInfoType.SurrogateType surrogate_type = 4

    Message for detecting output from deidentification transformations that support reversing.

  • StoredType stored_type = 5

    Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`.

• repeated CustomInfoType.DetectionRule detection_rules = 7

  Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType.

• CustomInfoType.ExclusionType exclusion_type = 8

  If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.

Deprecated; use `InspectionRuleSet` instead. Rule for modifying a `CustomInfoType` to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the `surrogate_type` custom infoType.

Used in: CustomInfoType

• oneof type

  • DetectionRule.HotwordRule hotword_rule = 1

    Hotword-based detection rule.

The rule that adjusts the likelihood of findings within a certain proximity of hotwords.

Used in: DetectionRule, InspectionRule

• optional Regex hotword_regex = 1

  Regular expression pattern defining what qualifies as a hotword.

• optional Proximity proximity = 2

  Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question.

• optional LikelihoodAdjustment likelihood_adjustment = 3

  Likelihood adjustment to apply to all matching findings.

Message for specifying an adjustment to the likelihood of a finding as part of a detection rule.

Used in: HotwordRule

• oneof adjustment

  • Likelihood fixed_likelihood = 1

    Set the likelihood of a finding to a fixed value.

  • int32 relative_likelihood = 2

    Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.

Message for specifying a window around a finding to apply a detection rule.

Used in: HotwordRule

• int32 window_before = 1

  Number of characters before the finding to consider.

• int32 window_after = 2

  Number of characters after the finding to consider.

Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API.

Used in: CustomInfoType, ExclusionRule

• oneof source

  • Dictionary.WordList word_list = 1

    List of words or phrases to search for.

  • CloudStoragePath cloud_storage_path = 3

    Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

Message defining a list of words or phrases to search for in the data.

Used in: Dictionary

• repeated string words = 1

  Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

Used in: CustomInfoType

• EXCLUSION_TYPE_UNSPECIFIED = 0

  A finding of this custom info type will not be excluded from results.

• EXCLUSION_TYPE_EXCLUDE = 1

  A finding of this custom info type will be excluded from final results, but can still affect rule execution.

Message defining a custom regular expression.

Used in: CustomInfoType, DetectionRule.HotwordRule, ExclusionRule

• string pattern = 1

  Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

• repeated int32 group_indexes = 2

  The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`.

Used in: CustomInfoType

(message has no fields)

Record key for a finding in Cloud Datastore.

Used in: RecordKey

• optional Key entity_key = 1

  Datastore entity key.

Options defining a data set within Google Cloud Datastore.

Used in: StorageConfig

• optional PartitionId partition_id = 1

  A partition ID identifies a grouping of entities. The grouping is always by project and namespace, however the namespace ID may be empty.

• optional KindExpression kind = 2

  The kind to process.

Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more.

Used in: PrimitiveTransformation

• int32 upper_bound_days = 1

  Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. [Required]

• int32 lower_bound_days = 2

  For example, -5 means shift date to at most 5 days back in the past. [Required]

• optional FieldId context = 3

  Points to the field that contains the context, for example, an entity id. If set, must also set method. If set, shift will be consistent for the given context.

• oneof method

  Method for calculating shift that takes context into consideration. If set, must also set context. Can only be applied to table items.

  • CryptoKey crypto_key = 4

    Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key.

Message for a date time object. e.g. 2018-01-01, 5th August.

Used in: QuoteInfo

• optional type.Date date = 1

  One or more of the following must be set. All fields are optional, but when set must be valid date or time values.

• type.DayOfWeek day_of_week = 2

• optional type.TimeOfDay time = 3

• optional DateTime.TimeZone time_zone = 4

Used in: DateTime

• int32 offset_minutes = 1

  Set only if the offset can be determined. Positive for time ahead of UTC. E.g. For "UTC-9", this value is -540.

The configuration that controls how the data will change.

Used in: DeidentifyContentRequest, DeidentifyTemplate, ReidentifyContentRequest

• oneof transformation

  • InfoTypeTransformations info_type_transformations = 1

    Treat the dataset as free-form text and apply the same free text transformation everywhere.

  • RecordTransformations record_transformations = 2

    Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.

The DeidentifyTemplates contains instructions on how to deidentify content. See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Used as response type in: DlpService.CreateDeidentifyTemplate, DlpService.GetDeidentifyTemplate, DlpService.UpdateDeidentifyTemplate

Used as field type in: CreateDeidentifyTemplateRequest, ListDeidentifyTemplatesResponse, UpdateDeidentifyTemplateRequest

• string name = 1

  The template name. Output only. The template will have one of the following formats: `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

• string display_name = 2

  Display name (max 256 chars).

• string description = 3

  Short description (max 256 chars).

• optional protobuf.Timestamp create_time = 4

  The creation timestamp of a inspectTemplate, output only field.

• optional protobuf.Timestamp update_time = 5

  The last update timestamp of a inspectTemplate, output only field.

• optional DeidentifyConfig deidentify_config = 6

  ///////////// // The core content of the template // ///////////////

Combines all of the information about a DLP job.

Used as response type in: DlpService.ActivateJobTrigger, DlpService.CreateDlpJob, DlpService.GetDlpJob

Used as field type in: ListDlpJobsResponse

• string name = 1

  The server-assigned name.

• DlpJobType type = 2

  The type of job.

• DlpJob.JobState state = 3

  State of a job.

• oneof details

  • AnalyzeDataSourceRiskDetails risk_details = 4

    Results from analyzing risk of a data source.

  • InspectDataSourceDetails inspect_details = 5

    Results from inspecting a data source.

• optional protobuf.Timestamp create_time = 6

  Time when the job was created.

• optional protobuf.Timestamp start_time = 7

  Time when the job started.

• optional protobuf.Timestamp end_time = 8

  Time when the job finished.

• string job_trigger_name = 10

  If created by a job trigger, the resource name of the trigger that instantiated the job.

• repeated Error errors = 11

  A stream of errors encountered running the job.

Used in: DlpJob

• JOB_STATE_UNSPECIFIED = 0

• PENDING = 1

  The job has not yet started.

• RUNNING = 2

  The job is currently running.

• DONE = 3

  The job is no longer running.

• CANCELED = 4

  The job was canceled before it could complete.

• FAILED = 5

  The job had an error and did not complete.

An enum to represent the various type of DLP jobs.

Used in: DlpJob, ListDlpJobsRequest

• DLP_JOB_TYPE_UNSPECIFIED = 0

• INSPECT_JOB = 1

  The job inspected Google Cloud for sensitive data.

• RISK_ANALYSIS_JOB = 2

  The job executed a Risk Analysis computation.

Location of a finding within a document.

Used in: ContentLocation

• int64 file_offset = 1

  Offset of the line, from the beginning of the file, where the finding is located.

An entity in a dataset is a field or set of fields that correspond to a single person. For example, in medical records the `EntityId` might be a patient identifier, or for financial records it might be an account identifier. This message is used when generalizations or analysis must take into account that multiple rows correspond to the same entity.

Used in: PrivacyMetric.KAnonymityConfig

• optional FieldId field = 1

  Composite key indicating which field contains the entity identifier.

Details information about an error encountered during job execution or the results of an unsuccessful activation of the JobTrigger. Output only field.

Used in: DlpJob, JobTrigger, StoredInfoTypeVersion

• optional rpc.Status details = 1

• repeated protobuf.Timestamp timestamps = 2

  The times the error occurred.

List of exclude infoTypes.

Used in: ExclusionRule

• repeated InfoType info_types = 1

  InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address.

The rule that specifies conditions when findings of infoTypes specified in `InspectionRuleSet` are removed from results.

Used in: InspectionRule

• oneof type

  • CustomInfoType.Dictionary dictionary = 1

    Dictionary which defines the rule.

  • CustomInfoType.Regex regex = 2

    Regular expression which defines the rule.

  • ExcludeInfoTypes exclude_info_types = 3

    Set of infoTypes for which findings would affect this rule.

• MatchingType matching_type = 4

  How the rule is applied, see MatchingType documentation for details.

General identifier of a data field in a storage service.

Used in: BigQueryField, BigQueryOptions, CryptoDeterministicConfig, CryptoReplaceFfxFpeConfig, DateShiftConfig, EntityId, FieldTransformation, PrivacyMetric.CategoricalStatsConfig, PrivacyMetric.KAnonymityConfig, PrivacyMetric.KMapEstimationConfig.AuxiliaryTable, PrivacyMetric.KMapEstimationConfig.AuxiliaryTable.QuasiIdField, PrivacyMetric.KMapEstimationConfig.TaggedField, PrivacyMetric.LDiversityConfig, PrivacyMetric.NumericalStatsConfig, QuasiId, RecordCondition.Condition, RecordLocation, StatisticalTable, StatisticalTable.QuasiIdentifierField, StorageConfig.TimespanConfig, Table, TransformationSummary

• string name = 1

  Name describing the field.

The transformation to apply to the field.

Used in: RecordTransformations, TransformationSummary

• repeated FieldId fields = 1

  Input field(s) to apply the transformation to. [required]

• optional RecordCondition condition = 3

  Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. [optional] Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.

• oneof transformation

  Transformation to apply. [required]

  • PrimitiveTransformation primitive_transformation = 4

    Apply the transformation to the entire field.

  • InfoTypeTransformations info_type_transformations = 5

    Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.

Definitions of file type groups to scan.

Used in: CloudStorageOptions

• FILE_TYPE_UNSPECIFIED = 0

  Includes all files.

• BINARY_FILE = 1

  Includes all file extensions not covered by text file types.

• TEXT_FILE = 2

  Included file extensions: asc, brf, c, cc, cpp, csv, cxx, c++, cs, css, dart, eml, go, h, hh, hpp, hxx, h++, hs, html, htm, shtml, shtm, xhtml, lhs, ini, java, js, json, ocaml, md, mkd, markdown, m, ml, mli, pl, pm, php, phtml, pht, py, pyw, rb, rbw, rs, rc, scala, sh, sql, tex, txt, text, tsv, vcard, vcs, wml, xml, xsl, xsd, yml, yaml.

• IMAGE = 3

  Included file extensions: bmp, gif, jpg, jpeg, jpe, png. bytes_limit_per_file has no effect on image files.

• AVRO = 7

  Included file extensions: avro

Represents a piece of potentially sensitive content.

Used in: InspectResult

• string quote = 1

  The content that was found. Even if the content is not textual, it may be converted to a textual representation here. Provided if `include_quote` is true and the finding is less than or equal to 4096 bytes long. If the finding exceeds 4096 bytes in length, the quote may be omitted.

• optional InfoType info_type = 2

  The type of content that might have been found. Provided if `excluded_types` is false.

• Likelihood likelihood = 3

  Confidence of how likely it is that the `info_type` is correct.

• optional Location location = 4

  Where the content was found.

• optional protobuf.Timestamp create_time = 6

  Timestamp when finding was detected.

• optional QuoteInfo quote_info = 7

  Contains data parsed from quotes. Only populated if include_quote was set to true and a supported infoType was requested. Currently supported infoTypes: DATE, DATE_OF_BIRTH and TIME.

Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Used in: PrimitiveTransformation

• optional Value lower_bound = 1

  Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value “-10”. [Required].

• optional Value upper_bound = 2

  Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value “89+”. [Required].

• double bucket_size = 3

  Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].

Location of the finding within an image.

Used in: ContentLocation

• repeated BoundingBox bounding_boxes = 1

  Bounding boxes locating the pixels within the image containing the finding.

Type of information detected by the API.

Used in: CryptoDeterministicConfig, CryptoReplaceFfxFpeConfig, CustomInfoType, ExcludeInfoTypes, Finding, InfoTypeStats, InfoTypeTransformations.InfoTypeTransformation, InspectConfig, InspectConfig.FindingLimits.InfoTypeLimit, InspectionRuleSet, PrivacyMetric.KMapEstimationConfig.TaggedField, QuasiId, RedactImageRequest.ImageRedactionConfig, TransformationSummary

• string name = 1

  Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. InfoType names should conform to the pattern [a-zA-Z0-9_]{1,64}.

InfoType description.

Used in: ListInfoTypesResponse

• string name = 1

  Internal name of the infoType.

• string display_name = 2

  Human readable form of the infoType name.

• repeated InfoTypeSupportedBy supported_by = 3

  Which parts of the API supports this InfoType.

• string description = 4

  Description of the infotype. Translated when language is provided in the request.

Statistics regarding a specific InfoType.

Used in: InspectDataSourceDetails.Result

• optional InfoType info_type = 1

  The type of finding this stat is for.

• int64 count = 2

  Number of findings for this infoType.

Parts of the APIs which use certain infoTypes.

Used in: InfoTypeDescription

• ENUM_TYPE_UNSPECIFIED = 0

• INSPECT = 1

  Supported by the inspect operations.

• RISK_ANALYSIS = 2

  Supported by the risk analysis operations.

A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type.

Used in: DeidentifyConfig, FieldTransformation

• repeated InfoTypeTransformations.InfoTypeTransformation transformations = 1

  Transformation for each infoType. Cannot specify more than one for a given infoType. [required]

A transformation to apply to text that is identified as a specific info_type.

Used in: InfoTypeTransformations

• repeated InfoType info_types = 1

  InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.

• optional PrimitiveTransformation primitive_transformation = 2

  Primitive transformation to apply to the infoType. [required]

Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used.

Used in: DeidentifyContentRequest, InspectContentRequest, InspectJobConfig, InspectTemplate, RedactImageRequest, ReidentifyContentRequest

• repeated InfoType info_types = 1

  Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. The special InfoType name "ALL_BASIC" can be used to trigger all detectors, but may change over time as new InfoTypes are added. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference.

• Likelihood min_likelihood = 2

  Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.

• optional InspectConfig.FindingLimits limits = 3

• bool include_quote = 4

  When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.

• bool exclude_info_types = 5

  When true, excludes type information of the findings.

• repeated CustomInfoType custom_info_types = 6

  CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.

• repeated ContentOption content_options = 8

  List of options defining data content to scan. If empty, text, images, and other content will be included.

• repeated InspectionRuleSet rule_set = 10

  Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type.

Used in: InspectConfig

• int32 max_findings_per_item = 1

  Max number of findings that will be returned for each item scanned. When set within `InspectDataSourceRequest`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored.

• int32 max_findings_per_request = 2

  Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher.

• repeated FindingLimits.InfoTypeLimit max_findings_per_info_type = 3

  Configuration of findings limit given for specified infoTypes.

Max findings configuration per infoType, per content item or long running DlpJob.

Used in: FindingLimits

• optional InfoType info_type = 1

  Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit.

• int32 max_findings = 2

  Max findings limit for the given infoType.

The results of an inspect DataSource job.

Used in: DlpJob

• optional InspectDataSourceDetails.RequestedOptions requested_options = 2

  The configuration used for this job.

• optional InspectDataSourceDetails.Result result = 3

  A summary of the outcome of this inspect job.

Used in: InspectDataSourceDetails

• optional InspectTemplate snapshot_inspect_template = 1

  If run with an InspectTemplate, a snapshot of its state at the time of this run.

• optional InspectJobConfig job_config = 3

All result fields mentioned below are updated while the job is processing.

Used in: InspectDataSourceDetails

• int64 processed_bytes = 1

  Total size in bytes that were processed.

• int64 total_estimated_bytes = 2

  Estimate of the number of bytes to process.

• repeated InfoTypeStats info_type_stats = 3

  Statistics of how many instances of each info type were found during inspect job.

Used in: CreateDlpJobRequest, InspectDataSourceDetails.RequestedOptions, JobTrigger

• optional StorageConfig storage_config = 1

  The data to scan.

• optional InspectConfig inspect_config = 2

  How and what to scan for.

• string inspect_template_name = 3

  If provided, will be used as the default for all values in InspectConfig. `inspect_config` will be merged into the values persisted as part of the template.

• repeated Action actions = 4

  Actions to execute at the completion of the job.

All the findings for a single scanned item.

Used in: InspectContentResponse, RedactImageResponse

• repeated Finding findings = 1

  List of findings for an item.

• bool findings_truncated = 2

  If true, then this item might have more findings than were returned, and the findings returned are an arbitrary subset of all findings. The findings list might be truncated because the input items were too large, or because the server reached the maximum amount of resources allowed for a single API call. For best results, divide the input into smaller batches.

The inspectTemplate contains a configuration (set of types of sensitive data to be detected) to be used anywhere you otherwise would normally specify InspectConfig. See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Used as response type in: DlpService.CreateInspectTemplate, DlpService.GetInspectTemplate, DlpService.UpdateInspectTemplate

Used as field type in: CreateInspectTemplateRequest, InspectDataSourceDetails.RequestedOptions, ListInspectTemplatesResponse, UpdateInspectTemplateRequest

• string name = 1

  The template name. Output only. The template will have one of the following formats: `projects/PROJECT_ID/inspectTemplates/TEMPLATE_ID` OR `organizations/ORGANIZATION_ID/inspectTemplates/TEMPLATE_ID`

• string display_name = 2

  Display name (max 256 chars).

• string description = 3

  Short description (max 256 chars).

• optional protobuf.Timestamp create_time = 4

  The creation timestamp of a inspectTemplate, output only field.

• optional protobuf.Timestamp update_time = 5

  The last update timestamp of a inspectTemplate, output only field.

• optional InspectConfig inspect_config = 6

  The core content of the template. Configuration of the scanning process.

A single inspection rule to be applied to infoTypes, specified in `InspectionRuleSet`.

Used in: InspectionRuleSet

• oneof type

  • CustomInfoType.DetectionRule.HotwordRule hotword_rule = 1

    Hotword-based detection rule.

  • ExclusionRule exclusion_rule = 2

    Exclusion rule.

Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set.

Used in: InspectConfig

• repeated InfoType info_types = 1

  List of infoTypes this rule set is applied to.

• repeated InspectionRule rules = 2

  Set of rules to be applied to infoTypes. The rules are applied in order.

Contains a configuration to make dlp api calls on a repeating basis. See https://cloud.google.com/dlp/docs/concepts-job-triggers to learn more.

Used as response type in: DlpService.CreateJobTrigger, DlpService.GetJobTrigger, DlpService.UpdateJobTrigger

Used as field type in: CreateJobTriggerRequest, ListJobTriggersResponse, UpdateJobTriggerRequest

• string name = 1

  Unique resource name for the triggeredJob, assigned by the service when the triggeredJob is created, for example `projects/dlp-test-project/triggeredJobs/53234423`.

• string display_name = 2

  Display name (max 100 chars)

• string description = 3

  User provided description (max 256 chars)

• oneof job

  The configuration details for the specific type of job to run.

  • InspectJobConfig inspect_job = 4

• repeated JobTrigger.Trigger triggers = 5

  A list of triggers which will be OR'ed together. Only one in the list needs to trigger for a job to be started. The list may contain only a single Schedule trigger and must have at least one object.

• repeated Error errors = 6

  A stream of errors encountered when the trigger was activated. Repeated errors may result in the JobTrigger automatically being paused. Will return the last 100 errors. Whenever the JobTrigger is modified this list will be cleared. Output only field.

• optional protobuf.Timestamp create_time = 7

  The creation timestamp of a triggeredJob, output only field.

• optional protobuf.Timestamp update_time = 8

  The last update timestamp of a triggeredJob, output only field.

• optional protobuf.Timestamp last_run_time = 9

  The timestamp of the last time this trigger executed, output only field.

• JobTrigger.Status status = 10

  A status for this trigger. [required]

Whether the trigger is currently active. If PAUSED or CANCELLED, no jobs will be created with this configuration. The service may automatically pause triggers experiencing frequent errors. To restart a job, set the status to HEALTHY after correcting user errors.

Used in: JobTrigger

• STATUS_UNSPECIFIED = 0

• HEALTHY = 1

  Trigger is healthy.

• PAUSED = 2

  Trigger is temporarily paused.

• CANCELLED = 3

  Trigger is cancelled and can not be resumed.

What event needs to occur for a new job to be started.

Used in: JobTrigger

• oneof trigger

  • Schedule schedule = 1

    Create a job on a repeating basis based on the elapse of time.

A unique identifier for a Datastore entity. If a key's partition ID or any of its path kinds or names are reserved/read-only, the key is reserved/read-only. A reserved/read-only key is forbidden in certain documented contexts.

Used in: DatastoreKey

• optional PartitionId partition_id = 1

  Entities are partitioned into subsets, currently identified by a project ID and namespace ID. Queries are scoped to a single partition.

• repeated Key.PathElement path = 2

  The entity path. An entity path consists of one or more elements composed of a kind and a string or numerical identifier, which identify entities. The first element identifies a _root entity_, the second element identifies a _child_ of the root entity, the third element identifies a child of the second entity, and so forth. The entities identified by all prefixes of the path are called the element's _ancestors_. A path can never be empty, and a path can have at most 100 elements.

A (kind, ID/name) pair used to construct a key path. If either name or ID is set, the element is complete. If neither is set, the element is incomplete.

Used in: Key

• string kind = 1

  The kind of the entity. A kind matching regex `__.*__` is reserved/read-only. A kind must not contain more than 1500 bytes when UTF-8 encoded. Cannot be `""`.

• oneof id_type

  The type of ID.

  • int64 id = 2

    The auto-allocated ID of the entity. Never equal to zero. Values less than zero are discouraged and may not be supported in the future.

  • string name = 3

    The name of the entity. A name matching regex `__.*__` is reserved/read-only. A name must not be more than 1500 bytes when UTF-8 encoded. Cannot be `""`.

A representation of a Datastore kind.

Used in: DatastoreOptions

• string name = 1

  The name of the kind.

Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt

Used in: CryptoKey

• bytes wrapped_key = 1

  The wrapped data crypto key. [required]

• string crypto_key_name = 2

  The resource name of the KMS CryptoKey to use for unwrapping. [required]

Configuration for a custom dictionary created from a data source of any size up to the maximum size defined in the [limits](https://cloud.google.com/dlp/limits) page. The artifacts of dictionary creation are stored in the specified Google Cloud Storage location. Consider using `CustomInfoType.Dictionary` for smaller dictionaries that satisfy the size requirements.

Used in: StoredInfoTypeConfig

• optional CloudStoragePath output_path = 1

  Location to store dictionary artifacts in Google Cloud Storage. These files will only be accessible by project owners and the DLP API. If any of these artifacts are modified, the dictionary is considered invalid and can no longer be used.

• oneof source

  • CloudStorageFileSet cloud_storage_file_set = 2

    Set of files containing newline-delimited lists of dictionary phrases.

  • BigQueryField big_query_field = 3

    Field in a BigQuery table where each cell represents a dictionary phrase.

Summary statistics of a custom dictionary.

Used in: StoredInfoTypeStats

• int64 approx_num_phrases = 1

  Approximate number of distinct phrases in the dictionary.

Categorization of results based on how likely they are to represent a match, based on the number of elements they contain which imply a match.

Used in: CustomInfoType, CustomInfoType.DetectionRule.LikelihoodAdjustment, Finding, InspectConfig

• LIKELIHOOD_UNSPECIFIED = 0

  Default value; same as POSSIBLE.

• VERY_UNLIKELY = 1

  Few matching elements.

• UNLIKELY = 2

• POSSIBLE = 3

  Some matching elements.

• LIKELY = 4

• VERY_LIKELY = 5

  Many matching elements.

Specifies the location of the finding.

Used in: Finding

• optional Range byte_range = 1

  Zero-based byte offsets delimiting the finding. These are relative to the finding's containing element. Note that when the content is not textual, this references the UTF-8 encoded textual representation of the content. Omitted if content is an image.

• optional Range codepoint_range = 2

  Unicode character offsets delimiting the finding. These are relative to the finding's containing element. Provided when the content is text.

• repeated ContentLocation content_locations = 7

  List of nested objects pointing to the precise location of the finding within the file or record.

Type of the match which can be applied to different ways of matching, like Dictionary, regular expression and intersecting with findings of another info type.

Used in: ExclusionRule

• MATCHING_TYPE_UNSPECIFIED = 0

  Invalid.

• MATCHING_TYPE_FULL_MATCH = 1

  Full match. - Dictionary: join of Dictionary results matched complete finding quote - Regex: all regex matches fill a finding quote start to end - Exclude info type: completely inside affecting info types findings

• MATCHING_TYPE_PARTIAL_MATCH = 2

  Partial match. - Dictionary: at least one of the tokens in the finding matches - Regex: substring of the finding matches - Exclude info type: intersects with affecting info types findings

• MATCHING_TYPE_INVERSE_MATCH = 3

  Inverse match. - Dictionary: no tokens in the finding match the dictionary - Regex: finding doesn't match the regex - Exclude info type: no intersection with affecting info types findings

Cloud repository for storing output.

Used in: Action.SaveFindings

• oneof type

  • BigQueryTable table = 1

    Store findings in an existing table or a new table in an existing dataset. If table_id is not set a new one will be generated for you with the following format: dlp_googleapis_yyyy_mm_dd_[dlp_job_id]. Pacific timezone will be used for generating the date details. For Inspect, each column in an existing output table must have the same name, type, and mode of a field in the `Finding` object. For Risk, an existing output table should be the output of a previous Risk analysis job run on the same source table, with the same privacy metric and quasi-identifiers. Risk jobs that analyze the same table but compute a different privacy metric, or use different sets of quasi-identifiers, cannot store their results in the same table.

• OutputStorageConfig.OutputSchema output_schema = 3

  Schema used for writing the findings for Inspect jobs. This field is only used for Inspect and must be unspecified for Risk jobs. Columns are derived from the `Finding` object. If appending to an existing table, any columns from the predefined schema that are missing will be added. No columns in the existing table will be deleted. If unspecified, then all available columns will be used for a new table or an (existing) table with no schema, and no changes will be made to an existing table that has a schema.

Predefined schemas for storing findings.

Used in: OutputStorageConfig

• OUTPUT_SCHEMA_UNSPECIFIED = 0

• BASIC_COLUMNS = 1

  Basic schema including only `info_type`, `quote`, `certainty`, and `timestamp`.

• GCS_COLUMNS = 2

  Schema tailored to findings from scanning Google Cloud Storage.

• DATASTORE_COLUMNS = 3

  Schema tailored to findings from scanning Google Datastore.

• BIG_QUERY_COLUMNS = 4

  Schema tailored to findings from scanning Google BigQuery.

• ALL_COLUMNS = 5

  Schema containing all columns.

Datastore partition ID. A partition ID identifies a grouping of entities. The grouping is always by project and namespace, however the namespace ID may be empty. A partition ID contains several dimensions: project ID and namespace ID.

Used in: DatastoreOptions, Key

• string project_id = 2

  The ID of the project to which the entities belong.

• string namespace_id = 4

  If not empty, the ID of the namespace to which the entities belong.

A rule for transforming a value.

Used in: FieldTransformation, InfoTypeTransformations.InfoTypeTransformation, TransformationSummary

• oneof transformation

  • ReplaceValueConfig replace_config = 1

  • RedactConfig redact_config = 2

  • CharacterMaskConfig character_mask_config = 3

  • CryptoReplaceFfxFpeConfig crypto_replace_ffx_fpe_config = 4

  • FixedSizeBucketingConfig fixed_size_bucketing_config = 5

  • BucketingConfig bucketing_config = 6

  • ReplaceWithInfoTypeConfig replace_with_info_type_config = 7

  • TimePartConfig time_part_config = 8

  • CryptoHashConfig crypto_hash_config = 9

  • DateShiftConfig date_shift_config = 11

  • CryptoDeterministicConfig crypto_deterministic_config = 12

Privacy metric to compute for reidentification risk analysis.

Used in: AnalyzeDataSourceRiskDetails, RiskAnalysisJobConfig

• oneof type

  • PrivacyMetric.NumericalStatsConfig numerical_stats_config = 1

  • PrivacyMetric.CategoricalStatsConfig categorical_stats_config = 2

  • PrivacyMetric.KAnonymityConfig k_anonymity_config = 3

  • PrivacyMetric.LDiversityConfig l_diversity_config = 4

  • PrivacyMetric.KMapEstimationConfig k_map_estimation_config = 5

  • PrivacyMetric.DeltaPresenceEstimationConfig delta_presence_estimation_config = 6

Compute numerical stats over an individual column, including number of distinct values and value count distribution.

Used in: PrivacyMetric

• optional FieldId field = 1

  Field to compute categorical stats on. All column types are supported except for arrays and structs. However, it may be more informative to use NumericalStats when the field type is supported, depending on the data.

δ-presence metric, used to estimate how likely it is for an attacker to figure out that one given individual appears in a de-identified dataset. Similarly to the k-map metric, we cannot compute δ-presence exactly without knowing the attack dataset, so we use a statistical model instead.

Used in: PrivacyMetric

• repeated QuasiId quasi_ids = 1

  Fields considered to be quasi-identifiers. No two fields can have the same tag. [required]

• string region_code = 2

  ISO 3166-1 alpha-2 region code to use in the statistical modeling. Required if no column is tagged with a region-specific InfoType (like US_ZIP_5) or a region code.

• repeated StatisticalTable auxiliary_tables = 3

  Several auxiliary tables can be used in the analysis. Each custom_tag used to tag a quasi-identifiers field must appear in exactly one field of one auxiliary table.

k-anonymity metric, used for analysis of reidentification risk.

Used in: PrivacyMetric

• repeated FieldId quasi_ids = 1

  Set of fields to compute k-anonymity over. When multiple fields are specified, they are considered a single composite key. Structs and repeated data types are not supported; however, nested fields are supported so long as they are not structs themselves or nested within a repeated field.

• optional EntityId entity_id = 2

  Optional message indicating that multiple rows might be associated to a single individual. If the same entity_id is associated to multiple quasi-identifier tuples over distinct rows, we consider the entire collection of tuples as the composite quasi-identifier. This collection is a multiset: the order in which the different tuples appear in the dataset is ignored, but their frequency is taken into account. Important note: a maximum of 1000 rows can be associated to a single entity ID. If more rows are associated with the same entity ID, some might be ignored.

Reidentifiability metric. This corresponds to a risk model similar to what is called "journalist risk" in the literature, except the attack dataset is statistically modeled instead of being perfectly known. This can be done using publicly available data (like the US Census), or using a custom statistical model (indicated as one or several BigQuery tables), or by extrapolating from the distribution of values in the input dataset. A column with a semantic tag attached.

Used in: PrivacyMetric

• repeated KMapEstimationConfig.TaggedField quasi_ids = 1

  Fields considered to be quasi-identifiers. No two columns can have the same tag. [required]

• string region_code = 2

  ISO 3166-1 alpha-2 region code to use in the statistical modeling. Required if no column is tagged with a region-specific InfoType (like US_ZIP_5) or a region code.

• repeated KMapEstimationConfig.AuxiliaryTable auxiliary_tables = 3

  Several auxiliary tables can be used in the analysis. Each custom_tag used to tag a quasi-identifiers column must appear in exactly one column of one auxiliary table.

An auxiliary table contains statistical information on the relative frequency of different quasi-identifiers values. It has one or several quasi-identifiers columns, and one column that indicates the relative frequency of each quasi-identifier tuple. If a tuple is present in the data but not in the auxiliary table, the corresponding relative frequency is assumed to be zero (and thus, the tuple is highly reidentifiable).

Used in: KMapEstimationConfig

• optional BigQueryTable table = 3

  Auxiliary table location. [required]

• repeated AuxiliaryTable.QuasiIdField quasi_ids = 1

  Quasi-identifier columns. [required]

• optional FieldId relative_frequency = 2

  The relative frequency column must contain a floating-point number between 0 and 1 (inclusive). Null values are assumed to be zero. [required]

A quasi-identifier column has a custom_tag, used to know which column in the data corresponds to which column in the statistical model.

Used in: AuxiliaryTable

• optional FieldId field = 1

• string custom_tag = 2

Used in: KMapEstimationConfig

• optional FieldId field = 1

  Identifies the column. [required]

• oneof tag

  Semantic tag that identifies what a column contains, to determine which statistical model to use to estimate the reidentifiability of each value. [required]

  • InfoType info_type = 2

    A column can be tagged with a InfoType to use the relevant public dataset as a statistical model of population, if available. We currently support US ZIP codes, region codes, ages and genders. To programmatically obtain the list of supported InfoTypes, use ListInfoTypes with the supported_by=RISK_ANALYSIS filter.

  • string custom_tag = 3

    A column can be tagged with a custom tag. In this case, the user must indicate an auxiliary table that contains statistical information on the possible values of this column (below).

  • protobuf.Empty inferred = 4

    If no semantic tag is indicated, we infer the statistical model from the distribution of values in the input data

l-diversity metric, used for analysis of reidentification risk.

Used in: PrivacyMetric

• repeated FieldId quasi_ids = 1

  Set of quasi-identifiers indicating how equivalence classes are defined for the l-diversity computation. When multiple fields are specified, they are considered a single composite key.

• optional FieldId sensitive_attribute = 2

  Sensitive field for computing the l-value.

Compute numerical stats over an individual column, including min, max, and quantiles.

Used in: PrivacyMetric

• optional FieldId field = 1

  Field to compute numerical stats on. Supported types are integer, float, date, datetime, timestamp, time.

A column with a semantic tag attached.

Used in: PrivacyMetric.DeltaPresenceEstimationConfig

• optional FieldId field = 1

  Identifies the column. [required]

• oneof tag

  Semantic tag that identifies what a column contains, to determine which statistical model to use to estimate the reidentifiability of each value. [required]

  • InfoType info_type = 2

    A column can be tagged with a InfoType to use the relevant public dataset as a statistical model of population, if available. We currently support US ZIP codes, region codes, ages and genders. To programmatically obtain the list of supported InfoTypes, use ListInfoTypes with the supported_by=RISK_ANALYSIS filter.

  • string custom_tag = 3

    A column can be tagged with a custom tag. In this case, the user must indicate an auxiliary table that contains statistical information on the possible values of this column (below).

  • protobuf.Empty inferred = 4

    If no semantic tag is indicated, we infer the statistical model from the distribution of values in the input data

Message for infoType-dependent details parsed from quote.

Used in: Finding

• oneof parsed_quote

  Object representation of the quote.

  • DateTime date_time = 2

    The date time indicated by the quote.

Generic half-open interval [start, end)

Used in: Location

• int64 start = 1

  Index of the first character of the range (inclusive).

• int64 end = 2

  Index of the last character of the range (exclusive).

A condition for determining whether a transformation should be applied to a field.

Used in: FieldTransformation, RecordSuppression

• optional RecordCondition.Expressions expressions = 3

  An expression.

The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

Used in: Conditions

• optional FieldId field = 1

  Field within the record this condition is evaluated against. [required]

• RelationalOperator operator = 3

  Operator used to compare the field or infoType to the value. [required]

• optional Value value = 4

  Value to compare against. [Required, except for `EXISTS` tests.]

A collection of conditions.

Used in: Expressions

• repeated Condition conditions = 1

An expression, consisting or an operator and conditions.

Used in: RecordCondition

• Expressions.LogicalOperator logical_operator = 1

  The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

• oneof type

  • Conditions conditions = 3

Used in: Expressions

• LOGICAL_OPERATOR_UNSPECIFIED = 0

• AND = 1

Message for a unique key indicating a record that contains a finding.

Used in: RecordLocation

• oneof type

  • DatastoreKey datastore_key = 2

  • BigQueryKey big_query_key = 3

• repeated string id_values = 5

  Values of identifying columns in the given row. Order of values matches the order of field identifiers specified in the scanning request.

Location of a finding within a row or record.

Used in: ContentLocation

• optional RecordKey record_key = 1

  Key of the finding.

• optional FieldId field_id = 2

  Field id of the field containing the finding.

• optional TableLocation table_location = 3

  Location within a `ContentItem.Table`.

Configuration to suppress records whose suppression conditions evaluate to true.

Used in: RecordTransformations, TransformationSummary

• optional RecordCondition condition = 1

  A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.

A type of transformation that is applied over structured data such as a table.

Used in: DeidentifyConfig

• repeated FieldTransformation field_transformations = 1

  Transform the record by applying various field transformations.

• repeated RecordSuppression record_suppressions = 2

  Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output [optional].

Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '.

Used in: PrimitiveTransformation

(message has no fields)

Configuration for determining how redaction of images should occur.

Used in: RedactImageRequest

• oneof target

  Type of information to redact from images.

  • InfoType info_type = 1

    Only one per info_type should be provided per request. If not specified, and redact_all_text is false, the DLP API will redact all text that it matches against all info_types that are found, but not specified in another ImageRedactionConfig.

  • bool redact_all_text = 2

    If true, all text found in the image, regardless whether it matches an info_type, is redacted. Only one should be provided.

• optional Color redaction_color = 3

  The color to use when redacting content from an image. If not specified, the default is black.

Operators available for comparing the value of fields.

Used in: RecordCondition.Condition

• RELATIONAL_OPERATOR_UNSPECIFIED = 0

• EQUAL_TO = 1

  Equal. Attempts to match even with incompatible types.

• NOT_EQUAL_TO = 2

  Not equal to. Attempts to match even with incompatible types.

• GREATER_THAN = 3

  Greater than.

• LESS_THAN = 4

  Less than.

• GREATER_THAN_OR_EQUALS = 5

  Greater than or equals.

• LESS_THAN_OR_EQUALS = 6

  Less than or equals.

• EXISTS = 7

  Exists

Replace each input value with a given `Value`.

Used in: PrimitiveTransformation

• optional Value new_value = 1

  Value to replace it with.

Replace each matching finding with the name of the info_type.

Used in: PrimitiveTransformation

(message has no fields)

Configuration for a risk analysis job. See https://cloud.google.com/dlp/docs/concepts-risk-analysis to learn more.

Used in: CreateDlpJobRequest

• optional PrivacyMetric privacy_metric = 1

  Privacy metric to compute.

• optional BigQueryTable source_table = 2

  Input dataset to compute metrics over.

• repeated Action actions = 3

  Actions to execute at the completion of the job. Are executed in the order provided.

Schedule for triggeredJobs.

Used in: JobTrigger.Trigger

• oneof option

  • protobuf.Duration recurrence_period_duration = 1

    With this option a job is started a regular periodic basis. For example: every day (86400 seconds). A scheduled start time will be skipped if the previous execution has not ended when its scheduled time occurs. This value must be set to a time duration greater than or equal to 1 day and can be no longer than 60 days.

An auxiliary table containing statistical information on the relative frequency of different quasi-identifiers values. It has one or several quasi-identifiers columns, and one column that indicates the relative frequency of each quasi-identifier tuple. If a tuple is present in the data but not in the auxiliary table, the corresponding relative frequency is assumed to be zero (and thus, the tuple is highly reidentifiable).

Used in: PrivacyMetric.DeltaPresenceEstimationConfig

• optional BigQueryTable table = 3

  Auxiliary table location. [required]

• repeated StatisticalTable.QuasiIdentifierField quasi_ids = 1

  Quasi-identifier columns. [required]

• optional FieldId relative_frequency = 2

  The relative frequency column must contain a floating-point number between 0 and 1 (inclusive). Null values are assumed to be zero. [required]

A quasi-identifier column has a custom_tag, used to know which column in the data corresponds to which column in the statistical model.

Used in: StatisticalTable

• optional FieldId field = 1

• string custom_tag = 2

Shared message indicating Cloud storage type.

Used in: InspectJobConfig

• oneof type

  • DatastoreOptions datastore_options = 2

    Google Cloud Datastore options specification.

  • CloudStorageOptions cloud_storage_options = 3

    Google Cloud Storage options specification.

  • BigQueryOptions big_query_options = 4

    BigQuery options specification.

• optional StorageConfig.TimespanConfig timespan_config = 6

Configuration of the timespan of the items to include in scanning. Currently only supported when inspecting Google Cloud Storage and BigQuery.

Used in: StorageConfig

• optional protobuf.Timestamp start_time = 1

  Exclude files or rows older than this value.

• optional protobuf.Timestamp end_time = 2

  Exclude files or rows newer than this value. If set to zero, no upper time limit is applied.

• optional FieldId timestamp_field = 3

  Specification of the field containing the timestamp of scanned items. Used for data sources like Datastore or BigQuery. If not specified for BigQuery, table last modification timestamp is checked against given time span. The valid data types of the timestamp field are: for BigQuery - timestamp, date, datetime; for Datastore - timestamp. Datastore entity will be scanned if the timestamp property does not exist or its value is empty or invalid.

• bool enable_auto_population_of_timespan_config = 4

  When the job is started by a JobTrigger we will automatically figure out a valid start_time to avoid scanning files that have not been modified since the last time the JobTrigger executed. This will be based on the time of the execution of the last run of the JobTrigger.

StoredInfoType resource message that contains information about the current version and any pending updates.

Used as response type in: DlpService.CreateStoredInfoType, DlpService.GetStoredInfoType, DlpService.UpdateStoredInfoType

Used as field type in: ListStoredInfoTypesResponse

• string name = 1

  Resource name.

• optional StoredInfoTypeVersion current_version = 2

  Current version of the stored info type.

• repeated StoredInfoTypeVersion pending_versions = 3

  Pending versions of the stored info type. Empty if no versions are pending.

Configuration for a StoredInfoType.

Used in: CreateStoredInfoTypeRequest, StoredInfoTypeVersion, UpdateStoredInfoTypeRequest

• string display_name = 1

  Display name of the StoredInfoType (max 256 characters).

• string description = 2

  Description of the StoredInfoType (max 256 characters).

• oneof type

  • LargeCustomDictionaryConfig large_custom_dictionary = 3

    StoredInfoType where findings are defined by a dictionary of phrases.

State of a StoredInfoType version.

Used in: StoredInfoTypeVersion

• STORED_INFO_TYPE_STATE_UNSPECIFIED = 0

• PENDING = 1

  StoredInfoType version is being created.

• READY = 2

  StoredInfoType version is ready for use.

• FAILED = 3

  StoredInfoType creation failed. All relevant error messages are returned in the `StoredInfoTypeVersion` message.

• INVALID = 4

  StoredInfoType is no longer valid because artifacts stored in user-controlled storage were modified. To fix an invalid StoredInfoType, use the `UpdateStoredInfoType` method to create a new version.

Statistics for a StoredInfoType.

Used in: StoredInfoTypeVersion

• oneof type

  • LargeCustomDictionaryStats large_custom_dictionary = 1

    StoredInfoType where findings are defined by a dictionary of phrases.

Version of a StoredInfoType, including the configuration used to build it, create timestamp, and current state.

Used in: StoredInfoType

• optional StoredInfoTypeConfig config = 1

  StoredInfoType configuration.

• optional protobuf.Timestamp create_time = 2

  Create timestamp of the version. Read-only, determined by the system when the version is created.

• StoredInfoTypeState state = 3

  Stored info type version state. Read-only, updated by the system during dictionary creation.

• repeated Error errors = 4

  Errors that occurred when creating this storedInfoType version, or anomalies detected in the storedInfoType data that render it unusable. Only the five most recent errors will be displayed, with the most recent error appearing first. <p>For example, some of the data for stored custom dictionaries is put in the user's Google Cloud Storage bucket, and if this data is modified or deleted by the user or another system, the dictionary becomes invalid. <p>If any errors occur, fix the problem indicated by the error message and use the UpdateStoredInfoType API method to create another version of the storedInfoType to continue using it, reusing the same `config` if it was not the source of the error.

• optional StoredInfoTypeStats stats = 5

  Statistics about this storedInfoType version.

A reference to a StoredInfoType to use with scanning.

Used in: CustomInfoType

• string name = 1

  Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.

• optional protobuf.Timestamp create_time = 2

  Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system.

Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

Used in: ContentItem

• repeated FieldId headers = 1

• repeated Table.Row rows = 2

Used in: Table

• repeated Value values = 1

Location of a finding within a table.

Used in: RecordLocation

• int64 row_index = 1

  The zero-based index of the row where the finding is located.

For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value.

Used in: PrimitiveTransformation

• TimePartConfig.TimePart part_to_extract = 1

Used in: TimePartConfig

• TIME_PART_UNSPECIFIED = 0

• YEAR = 1

  [0-9999]

• MONTH = 2

  [1-12]

• DAY_OF_MONTH = 3

  [1-31]

• DAY_OF_WEEK = 4

  [1-7]

• WEEK_OF_YEAR = 5

  [1-52]

• HOUR_OF_DAY = 6

  [0-23]

Overview of the modifications that occurred.

Used in: DeidentifyContentResponse, ReidentifyContentResponse

• int64 transformed_bytes = 2

  Total size in bytes that were transformed in some way.

• repeated TransformationSummary transformation_summaries = 3

  Transformations applied to the dataset.

Summary of a single transformation. Only one of 'transformation', 'field_transformation', or 'record_suppress' will be set.

Used in: TransformationOverview

• optional InfoType info_type = 1

  Set if the transformation was limited to a specific InfoType.

• optional FieldId field = 2

  Set if the transformation was limited to a specific FieldId.

• optional PrimitiveTransformation transformation = 3

  The specific transformation these stats apply to.

• repeated FieldTransformation field_transformations = 5

  The field transformation that was applied. If multiple field transformations are requested for a single field, this list will contain all of them; otherwise, only one is supplied.

• optional RecordSuppression record_suppress = 6

  The specific suppression option these stats apply to.

• repeated TransformationSummary.SummaryResult results = 4

• int64 transformed_bytes = 7

  Total size in bytes that were transformed in some way.

A collection that informs the user the number of times a particular `TransformationResultCode` and error details occurred.

Used in: TransformationSummary

• int64 count = 1

• TransformationResultCode code = 2

• string details = 3

  A place for warnings or errors to show up if a transformation didn't work as expected.

Possible outcomes of transformations.

Used in: SummaryResult

• TRANSFORMATION_RESULT_CODE_UNSPECIFIED = 0

• SUCCESS = 1

• ERROR = 2

Use this to have a random data crypto key generated. It will be discarded after the request finishes.

Used in: CryptoKey

• string name = 1

  Name of the key. [required] This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible.

Used in: CryptoKey

• bytes key = 1

  A 128/192/256 bit key. [required]

Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.

Used in: AnalyzeDataSourceRiskDetails.DeltaPresenceEstimationResult.DeltaPresenceEstimationQuasiIdValues, AnalyzeDataSourceRiskDetails.KAnonymityResult.KAnonymityEquivalenceClass, AnalyzeDataSourceRiskDetails.KMapEstimationResult.KMapEstimationQuasiIdValues, AnalyzeDataSourceRiskDetails.LDiversityResult.LDiversityEquivalenceClass, AnalyzeDataSourceRiskDetails.NumericalStatsResult, BucketingConfig.Bucket, FixedSizeBucketingConfig, RecordCondition.Condition, ReplaceValueConfig, Table.Row, ValueFrequency

• oneof type

  • int64 integer_value = 1

  • double float_value = 2

  • string string_value = 3

  • bool boolean_value = 4

  • protobuf.Timestamp timestamp_value = 5

  • type.TimeOfDay time_value = 6

  • type.Date date_value = 7

  • type.DayOfWeek day_of_week_value = 8

A value of a field, including its frequency.

Used in: AnalyzeDataSourceRiskDetails.CategoricalStatsResult.CategoricalStatsHistogramBucket, AnalyzeDataSourceRiskDetails.LDiversityResult.LDiversityEquivalenceClass

• optional Value value = 1

  A value contained in the field in question.

• int64 count = 2

  How many times the value is contained in the field.