Class: Google::Cloud::Dlp::V2::DataProfileAction

Inherits:

Object

• Object
• Google::Cloud::Dlp::V2::DataProfileAction

Extended by:

Protobuf::MessageExts::ClassMethods

Includes:

Protobuf::MessageExts

Defined in:

proto_docs/google/privacy/dlp/v2/dlp.rb

Overview

A task to execute when a data profile has been generated.

Defined Under Namespace

Modules: EventType Classes: Export, PubSubNotification, PublishToChronicle, PublishToSecurityCommandCenter, TagResources

Instance Attribute Summary

• #export_data ⇒ ::Google::Cloud::Dlp::V2::DataProfileAction::Export

  Export data profiles into a provided location.

• #pub_sub_notification ⇒ ::Google::Cloud::Dlp::V2::DataProfileAction::PubSubNotification

  Publish a message into the Pub/Sub topic.

• #publish_to_chronicle ⇒ ::Google::Cloud::Dlp::V2::DataProfileAction::PublishToChronicle

  Publishes generated data profiles to Google Security Operations.

• #publish_to_scc ⇒ ::Google::Cloud::Dlp::V2::DataProfileAction::PublishToSecurityCommandCenter

  Publishes findings to Security Command Center for each data profile.

• #tag_resources ⇒ ::Google::Cloud::Dlp::V2::DataProfileAction::TagResources

  Tags the profiled resources with the specified tag values.

Instance Attribute Details

#export_data ⇒ ::Google::Cloud::Dlp::V2::DataProfileAction::Export

Returns Export data profiles into a provided location.

Note: The following fields are mutually exclusive: export_data, pub_sub_notification, publish_to_chronicle, publish_to_scc, tag_resources. If a field in that set is populated, all other fields in the set will automatically be cleared.

Returns:

• (::Google::Cloud::Dlp::V2::DataProfileAction::Export) —

  Export data profiles into a provided location.

  Note: The following fields are mutually exclusive: export_data, pub_sub_notification, publish_to_chronicle, publish_to_scc, tag_resources. If a field in that set is populated, all other fields in the set will automatically be cleared.

# File 'proto_docs/google/privacy/dlp/v2/dlp.rb', line 4285

class DataProfileAction
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # If set, the detailed data profiles will be persisted to the location
  # of your choice whenever updated.
  # @!attribute [rw] profile_table
  #   @return [::Google::Cloud::Dlp::V2::BigQueryTable]
  #     Store all profiles to BigQuery.
  #
  #     * The system will create a new dataset and table for you if none are
  #       are provided. The dataset will be named
  #       `sensitive_data_protection_discovery` and table will be named
  #       `discovery_profiles`. This table will be placed in the same project as
  #       the container project running the scan. After the first profile is
  #       generated and the dataset and table are created, the discovery scan
  #       configuration will be updated with the dataset and table names.
  #     * See [Analyze data profiles stored in
  #     BigQuery](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles).
  #     * See [Sample queries for your BigQuery
  #     table](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles#sample_sql_queries).
  #     *  Data is inserted using [streaming
  #        insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert)
  #        and so data may be in the buffer for a period of time after the
  #        profile has finished.
  #      * The Pub/Sub notification is sent before the streaming buffer is
  #        guaranteed to be written, so data may not be instantly
  #        visible to queries by the time your topic receives the Pub/Sub
  #        notification.
  #      * The best practice is to use the same table for an entire organization
  #        so that you can take advantage of the [provided Looker
  #        reports](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles#use_a_premade_report).
  #        If you use VPC Service Controls to define security perimeters, then
  #        you must use a separate table for each boundary.
  # @!attribute [rw] sample_findings_table
  #   @return [::Google::Cloud::Dlp::V2::BigQueryTable]
  #     Store sample [data profile
  #     findings][google.privacy.dlp.v2.DataProfileFinding] in an existing table
  #     or a new table in an existing dataset. Each regeneration will result in
  #     new rows in BigQuery. Data is inserted using [streaming
  #     insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert)
  #     and so data may be in the buffer for a period of time after the profile
  #     has finished.
  class Export
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Send a Pub/Sub message into the given Pub/Sub topic to connect other
  # systems to data profile generation. The message payload data will
  # be the byte serialization of `DataProfilePubSubMessage`.
  # @!attribute [rw] topic
  #   @return [::String]
  #     Cloud Pub/Sub topic to send notifications to.
  #     Format is projects/\\{project}/topics/\\{topic}.
  # @!attribute [rw] event
  #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::EventType]
  #     The type of event that triggers a Pub/Sub. At most one
  #     `PubSubNotification` per EventType is permitted.
  # @!attribute [rw] pubsub_condition
  #   @return [::Google::Cloud::Dlp::V2::DataProfilePubSubCondition]
  #     Conditions (e.g., data risk or sensitivity level) for triggering a
  #     Pub/Sub.
  # @!attribute [rw] detail_of_message
  #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::PubSubNotification::DetailLevel]
  #     How much data to include in the Pub/Sub message. If the user wishes to
  #     limit the size of the message, they can use resource_name and fetch the
  #     profile fields they wish to. Per table profile (not per column).
  class PubSubNotification
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # The levels of detail that can be included in the Pub/Sub message.
    module DetailLevel
      # Unused.
      DETAIL_LEVEL_UNSPECIFIED = 0

      # The full table data profile.
      TABLE_PROFILE = 1

      # The name of the profiled resource.
      RESOURCE_NAME = 2

      # The full file store data profile.
      FILE_STORE_PROFILE = 3
    end
  end

  # Message expressing intention to publish to Google Security Operations.
  class PublishToChronicle
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # If set, a summary finding will be created or updated in Security Command
  # Center for each profile.
  class PublishToSecurityCommandCenter
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # If set, attaches the [tags]
  # (https://cloud.google.com/resource-manager/docs/tags/tags-overview)
  # provided to profiled resources. Tags support [access
  # control](https://cloud.google.com/iam/docs/tags-access-control). You can
  # conditionally grant or deny access to a resource based on whether the
  # resource has a specific tag.
  # @!attribute [rw] tag_conditions
  #   @return [::Array<::Google::Cloud::Dlp::V2::DataProfileAction::TagResources::TagCondition>]
  #     The tags to associate with different conditions.
  # @!attribute [rw] profile_generations_to_tag
  #   @return [::Array<::Google::Cloud::Dlp::V2::ProfileGeneration>]
  #     The profile generations for which the tag should be attached to
  #     resources. If you attach a tag to only new profiles, then if the
  #     sensitivity score of a profile subsequently changes, its tag doesn't
  #     change. By default, this field includes only new profiles. To include
  #     both new and updated profiles for tagging, this field should explicitly
  #     include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`.
  # @!attribute [rw] lower_data_risk_to_low
  #   @return [::Boolean]
  #     Whether applying a tag to a resource should lower the risk of the profile
  #     for that resource. For example, in conjunction with an [IAM deny
  #     policy](https://cloud.google.com/iam/docs/deny-overview), you can deny
  #     all principals a permission if a tag value is present, mitigating the
  #     risk of the resource. This also lowers the data risk of resources at the
  #     lower levels of the resource hierarchy. For example, reducing the data
  #     risk of a table data profile also reduces the data risk of the
  #     constituent column data profiles.
  class TagResources
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # The tag to attach to profiles matching the condition. At most one
    # `TagCondition` can be specified per sensitivity level.
    # @!attribute [rw] tag
    #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::TagResources::TagValue]
    #     The tag value to attach to resources.
    # @!attribute [rw] sensitivity_score
    #   @return [::Google::Cloud::Dlp::V2::SensitivityScore]
    #     Conditions attaching the tag to a resource on its profile having this
    #     sensitivity score.
    class TagCondition
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # A value of a tag.
    # @!attribute [rw] namespaced_value
    #   @return [::String]
    #     The namespaced name for the tag value to attach to resources. Must be
    #     in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for
    #     example, "123456/environment/prod".
    class TagValue
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # Types of event that can trigger an action.
  module EventType
    # Unused.
    EVENT_TYPE_UNSPECIFIED = 0

    # New profile (not a re-profile).
    NEW_PROFILE = 1

    # One of the following profile metrics changed: Data risk score,
    # Sensitivity score, Resource visibility, Encryption type, Predicted
    # infoTypes, Other infoTypes
    CHANGED_PROFILE = 2

    # Table data risk score or sensitivity score increased.
    SCORE_INCREASED = 3

    # A user (non-internal) error occurred.
    ERROR_CHANGED = 4
  end
end

#pub_sub_notification ⇒ ::Google::Cloud::Dlp::V2::DataProfileAction::PubSubNotification

Returns Publish a message into the Pub/Sub topic.

Note: The following fields are mutually exclusive: pub_sub_notification, export_data, publish_to_chronicle, publish_to_scc, tag_resources. If a field in that set is populated, all other fields in the set will automatically be cleared.

Returns:

• (::Google::Cloud::Dlp::V2::DataProfileAction::PubSubNotification) —

  Publish a message into the Pub/Sub topic.

  Note: The following fields are mutually exclusive: pub_sub_notification, export_data, publish_to_chronicle, publish_to_scc, tag_resources. If a field in that set is populated, all other fields in the set will automatically be cleared.

# File 'proto_docs/google/privacy/dlp/v2/dlp.rb', line 4285

class DataProfileAction
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # If set, the detailed data profiles will be persisted to the location
  # of your choice whenever updated.
  # @!attribute [rw] profile_table
  #   @return [::Google::Cloud::Dlp::V2::BigQueryTable]
  #     Store all profiles to BigQuery.
  #
  #     * The system will create a new dataset and table for you if none are
  #       are provided. The dataset will be named
  #       `sensitive_data_protection_discovery` and table will be named
  #       `discovery_profiles`. This table will be placed in the same project as
  #       the container project running the scan. After the first profile is
  #       generated and the dataset and table are created, the discovery scan
  #       configuration will be updated with the dataset and table names.
  #     * See [Analyze data profiles stored in
  #     BigQuery](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles).
  #     * See [Sample queries for your BigQuery
  #     table](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles#sample_sql_queries).
  #     *  Data is inserted using [streaming
  #        insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert)
  #        and so data may be in the buffer for a period of time after the
  #        profile has finished.
  #      * The Pub/Sub notification is sent before the streaming buffer is
  #        guaranteed to be written, so data may not be instantly
  #        visible to queries by the time your topic receives the Pub/Sub
  #        notification.
  #      * The best practice is to use the same table for an entire organization
  #        so that you can take advantage of the [provided Looker
  #        reports](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles#use_a_premade_report).
  #        If you use VPC Service Controls to define security perimeters, then
  #        you must use a separate table for each boundary.
  # @!attribute [rw] sample_findings_table
  #   @return [::Google::Cloud::Dlp::V2::BigQueryTable]
  #     Store sample [data profile
  #     findings][google.privacy.dlp.v2.DataProfileFinding] in an existing table
  #     or a new table in an existing dataset. Each regeneration will result in
  #     new rows in BigQuery. Data is inserted using [streaming
  #     insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert)
  #     and so data may be in the buffer for a period of time after the profile
  #     has finished.
  class Export
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Send a Pub/Sub message into the given Pub/Sub topic to connect other
  # systems to data profile generation. The message payload data will
  # be the byte serialization of `DataProfilePubSubMessage`.
  # @!attribute [rw] topic
  #   @return [::String]
  #     Cloud Pub/Sub topic to send notifications to.
  #     Format is projects/\\{project}/topics/\\{topic}.
  # @!attribute [rw] event
  #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::EventType]
  #     The type of event that triggers a Pub/Sub. At most one
  #     `PubSubNotification` per EventType is permitted.
  # @!attribute [rw] pubsub_condition
  #   @return [::Google::Cloud::Dlp::V2::DataProfilePubSubCondition]
  #     Conditions (e.g., data risk or sensitivity level) for triggering a
  #     Pub/Sub.
  # @!attribute [rw] detail_of_message
  #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::PubSubNotification::DetailLevel]
  #     How much data to include in the Pub/Sub message. If the user wishes to
  #     limit the size of the message, they can use resource_name and fetch the
  #     profile fields they wish to. Per table profile (not per column).
  class PubSubNotification
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # The levels of detail that can be included in the Pub/Sub message.
    module DetailLevel
      # Unused.
      DETAIL_LEVEL_UNSPECIFIED = 0

      # The full table data profile.
      TABLE_PROFILE = 1

      # The name of the profiled resource.
      RESOURCE_NAME = 2

      # The full file store data profile.
      FILE_STORE_PROFILE = 3
    end
  end

  # Message expressing intention to publish to Google Security Operations.
  class PublishToChronicle
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # If set, a summary finding will be created or updated in Security Command
  # Center for each profile.
  class PublishToSecurityCommandCenter
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # If set, attaches the [tags]
  # (https://cloud.google.com/resource-manager/docs/tags/tags-overview)
  # provided to profiled resources. Tags support [access
  # control](https://cloud.google.com/iam/docs/tags-access-control). You can
  # conditionally grant or deny access to a resource based on whether the
  # resource has a specific tag.
  # @!attribute [rw] tag_conditions
  #   @return [::Array<::Google::Cloud::Dlp::V2::DataProfileAction::TagResources::TagCondition>]
  #     The tags to associate with different conditions.
  # @!attribute [rw] profile_generations_to_tag
  #   @return [::Array<::Google::Cloud::Dlp::V2::ProfileGeneration>]
  #     The profile generations for which the tag should be attached to
  #     resources. If you attach a tag to only new profiles, then if the
  #     sensitivity score of a profile subsequently changes, its tag doesn't
  #     change. By default, this field includes only new profiles. To include
  #     both new and updated profiles for tagging, this field should explicitly
  #     include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`.
  # @!attribute [rw] lower_data_risk_to_low
  #   @return [::Boolean]
  #     Whether applying a tag to a resource should lower the risk of the profile
  #     for that resource. For example, in conjunction with an [IAM deny
  #     policy](https://cloud.google.com/iam/docs/deny-overview), you can deny
  #     all principals a permission if a tag value is present, mitigating the
  #     risk of the resource. This also lowers the data risk of resources at the
  #     lower levels of the resource hierarchy. For example, reducing the data
  #     risk of a table data profile also reduces the data risk of the
  #     constituent column data profiles.
  class TagResources
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # The tag to attach to profiles matching the condition. At most one
    # `TagCondition` can be specified per sensitivity level.
    # @!attribute [rw] tag
    #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::TagResources::TagValue]
    #     The tag value to attach to resources.
    # @!attribute [rw] sensitivity_score
    #   @return [::Google::Cloud::Dlp::V2::SensitivityScore]
    #     Conditions attaching the tag to a resource on its profile having this
    #     sensitivity score.
    class TagCondition
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # A value of a tag.
    # @!attribute [rw] namespaced_value
    #   @return [::String]
    #     The namespaced name for the tag value to attach to resources. Must be
    #     in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for
    #     example, "123456/environment/prod".
    class TagValue
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # Types of event that can trigger an action.
  module EventType
    # Unused.
    EVENT_TYPE_UNSPECIFIED = 0

    # New profile (not a re-profile).
    NEW_PROFILE = 1

    # One of the following profile metrics changed: Data risk score,
    # Sensitivity score, Resource visibility, Encryption type, Predicted
    # infoTypes, Other infoTypes
    CHANGED_PROFILE = 2

    # Table data risk score or sensitivity score increased.
    SCORE_INCREASED = 3

    # A user (non-internal) error occurred.
    ERROR_CHANGED = 4
  end
end

#publish_to_chronicle ⇒ ::Google::Cloud::Dlp::V2::DataProfileAction::PublishToChronicle

Returns Publishes generated data profiles to Google Security Operations. For more information, see Use Sensitive Data Protection data in context-aware analytics.

Note: The following fields are mutually exclusive: publish_to_chronicle, export_data, pub_sub_notification, publish_to_scc, tag_resources. If a field in that set is populated, all other fields in the set will automatically be cleared.

Returns:

• (::Google::Cloud::Dlp::V2::DataProfileAction::PublishToChronicle) —

  Publishes generated data profiles to Google Security Operations. For more information, see Use Sensitive Data Protection data in context-aware analytics.

  Note: The following fields are mutually exclusive: publish_to_chronicle, export_data, pub_sub_notification, publish_to_scc, tag_resources. If a field in that set is populated, all other fields in the set will automatically be cleared.

# File 'proto_docs/google/privacy/dlp/v2/dlp.rb', line 4285

class DataProfileAction
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # If set, the detailed data profiles will be persisted to the location
  # of your choice whenever updated.
  # @!attribute [rw] profile_table
  #   @return [::Google::Cloud::Dlp::V2::BigQueryTable]
  #     Store all profiles to BigQuery.
  #
  #     * The system will create a new dataset and table for you if none are
  #       are provided. The dataset will be named
  #       `sensitive_data_protection_discovery` and table will be named
  #       `discovery_profiles`. This table will be placed in the same project as
  #       the container project running the scan. After the first profile is
  #       generated and the dataset and table are created, the discovery scan
  #       configuration will be updated with the dataset and table names.
  #     * See [Analyze data profiles stored in
  #     BigQuery](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles).
  #     * See [Sample queries for your BigQuery
  #     table](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles#sample_sql_queries).
  #     *  Data is inserted using [streaming
  #        insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert)
  #        and so data may be in the buffer for a period of time after the
  #        profile has finished.
  #      * The Pub/Sub notification is sent before the streaming buffer is
  #        guaranteed to be written, so data may not be instantly
  #        visible to queries by the time your topic receives the Pub/Sub
  #        notification.
  #      * The best practice is to use the same table for an entire organization
  #        so that you can take advantage of the [provided Looker
  #        reports](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles#use_a_premade_report).
  #        If you use VPC Service Controls to define security perimeters, then
  #        you must use a separate table for each boundary.
  # @!attribute [rw] sample_findings_table
  #   @return [::Google::Cloud::Dlp::V2::BigQueryTable]
  #     Store sample [data profile
  #     findings][google.privacy.dlp.v2.DataProfileFinding] in an existing table
  #     or a new table in an existing dataset. Each regeneration will result in
  #     new rows in BigQuery. Data is inserted using [streaming
  #     insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert)
  #     and so data may be in the buffer for a period of time after the profile
  #     has finished.
  class Export
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Send a Pub/Sub message into the given Pub/Sub topic to connect other
  # systems to data profile generation. The message payload data will
  # be the byte serialization of `DataProfilePubSubMessage`.
  # @!attribute [rw] topic
  #   @return [::String]
  #     Cloud Pub/Sub topic to send notifications to.
  #     Format is projects/\\{project}/topics/\\{topic}.
  # @!attribute [rw] event
  #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::EventType]
  #     The type of event that triggers a Pub/Sub. At most one
  #     `PubSubNotification` per EventType is permitted.
  # @!attribute [rw] pubsub_condition
  #   @return [::Google::Cloud::Dlp::V2::DataProfilePubSubCondition]
  #     Conditions (e.g., data risk or sensitivity level) for triggering a
  #     Pub/Sub.
  # @!attribute [rw] detail_of_message
  #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::PubSubNotification::DetailLevel]
  #     How much data to include in the Pub/Sub message. If the user wishes to
  #     limit the size of the message, they can use resource_name and fetch the
  #     profile fields they wish to. Per table profile (not per column).
  class PubSubNotification
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # The levels of detail that can be included in the Pub/Sub message.
    module DetailLevel
      # Unused.
      DETAIL_LEVEL_UNSPECIFIED = 0

      # The full table data profile.
      TABLE_PROFILE = 1

      # The name of the profiled resource.
      RESOURCE_NAME = 2

      # The full file store data profile.
      FILE_STORE_PROFILE = 3
    end
  end

  # Message expressing intention to publish to Google Security Operations.
  class PublishToChronicle
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # If set, a summary finding will be created or updated in Security Command
  # Center for each profile.
  class PublishToSecurityCommandCenter
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # If set, attaches the [tags]
  # (https://cloud.google.com/resource-manager/docs/tags/tags-overview)
  # provided to profiled resources. Tags support [access
  # control](https://cloud.google.com/iam/docs/tags-access-control). You can
  # conditionally grant or deny access to a resource based on whether the
  # resource has a specific tag.
  # @!attribute [rw] tag_conditions
  #   @return [::Array<::Google::Cloud::Dlp::V2::DataProfileAction::TagResources::TagCondition>]
  #     The tags to associate with different conditions.
  # @!attribute [rw] profile_generations_to_tag
  #   @return [::Array<::Google::Cloud::Dlp::V2::ProfileGeneration>]
  #     The profile generations for which the tag should be attached to
  #     resources. If you attach a tag to only new profiles, then if the
  #     sensitivity score of a profile subsequently changes, its tag doesn't
  #     change. By default, this field includes only new profiles. To include
  #     both new and updated profiles for tagging, this field should explicitly
  #     include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`.
  # @!attribute [rw] lower_data_risk_to_low
  #   @return [::Boolean]
  #     Whether applying a tag to a resource should lower the risk of the profile
  #     for that resource. For example, in conjunction with an [IAM deny
  #     policy](https://cloud.google.com/iam/docs/deny-overview), you can deny
  #     all principals a permission if a tag value is present, mitigating the
  #     risk of the resource. This also lowers the data risk of resources at the
  #     lower levels of the resource hierarchy. For example, reducing the data
  #     risk of a table data profile also reduces the data risk of the
  #     constituent column data profiles.
  class TagResources
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # The tag to attach to profiles matching the condition. At most one
    # `TagCondition` can be specified per sensitivity level.
    # @!attribute [rw] tag
    #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::TagResources::TagValue]
    #     The tag value to attach to resources.
    # @!attribute [rw] sensitivity_score
    #   @return [::Google::Cloud::Dlp::V2::SensitivityScore]
    #     Conditions attaching the tag to a resource on its profile having this
    #     sensitivity score.
    class TagCondition
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # A value of a tag.
    # @!attribute [rw] namespaced_value
    #   @return [::String]
    #     The namespaced name for the tag value to attach to resources. Must be
    #     in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for
    #     example, "123456/environment/prod".
    class TagValue
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # Types of event that can trigger an action.
  module EventType
    # Unused.
    EVENT_TYPE_UNSPECIFIED = 0

    # New profile (not a re-profile).
    NEW_PROFILE = 1

    # One of the following profile metrics changed: Data risk score,
    # Sensitivity score, Resource visibility, Encryption type, Predicted
    # infoTypes, Other infoTypes
    CHANGED_PROFILE = 2

    # Table data risk score or sensitivity score increased.
    SCORE_INCREASED = 3

    # A user (non-internal) error occurred.
    ERROR_CHANGED = 4
  end
end

#publish_to_scc ⇒ ::Google::Cloud::Dlp::V2::DataProfileAction::PublishToSecurityCommandCenter

Returns Publishes findings to Security Command Center for each data profile.

Note: The following fields are mutually exclusive: publish_to_scc, export_data, pub_sub_notification, publish_to_chronicle, tag_resources. If a field in that set is populated, all other fields in the set will automatically be cleared.

Returns:

• (::Google::Cloud::Dlp::V2::DataProfileAction::PublishToSecurityCommandCenter) —

  Publishes findings to Security Command Center for each data profile.

  Note: The following fields are mutually exclusive: publish_to_scc, export_data, pub_sub_notification, publish_to_chronicle, tag_resources. If a field in that set is populated, all other fields in the set will automatically be cleared.

# File 'proto_docs/google/privacy/dlp/v2/dlp.rb', line 4285

class DataProfileAction
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # If set, the detailed data profiles will be persisted to the location
  # of your choice whenever updated.
  # @!attribute [rw] profile_table
  #   @return [::Google::Cloud::Dlp::V2::BigQueryTable]
  #     Store all profiles to BigQuery.
  #
  #     * The system will create a new dataset and table for you if none are
  #       are provided. The dataset will be named
  #       `sensitive_data_protection_discovery` and table will be named
  #       `discovery_profiles`. This table will be placed in the same project as
  #       the container project running the scan. After the first profile is
  #       generated and the dataset and table are created, the discovery scan
  #       configuration will be updated with the dataset and table names.
  #     * See [Analyze data profiles stored in
  #     BigQuery](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles).
  #     * See [Sample queries for your BigQuery
  #     table](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles#sample_sql_queries).
  #     *  Data is inserted using [streaming
  #        insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert)
  #        and so data may be in the buffer for a period of time after the
  #        profile has finished.
  #      * The Pub/Sub notification is sent before the streaming buffer is
  #        guaranteed to be written, so data may not be instantly
  #        visible to queries by the time your topic receives the Pub/Sub
  #        notification.
  #      * The best practice is to use the same table for an entire organization
  #        so that you can take advantage of the [provided Looker
  #        reports](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles#use_a_premade_report).
  #        If you use VPC Service Controls to define security perimeters, then
  #        you must use a separate table for each boundary.
  # @!attribute [rw] sample_findings_table
  #   @return [::Google::Cloud::Dlp::V2::BigQueryTable]
  #     Store sample [data profile
  #     findings][google.privacy.dlp.v2.DataProfileFinding] in an existing table
  #     or a new table in an existing dataset. Each regeneration will result in
  #     new rows in BigQuery. Data is inserted using [streaming
  #     insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert)
  #     and so data may be in the buffer for a period of time after the profile
  #     has finished.
  class Export
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Send a Pub/Sub message into the given Pub/Sub topic to connect other
  # systems to data profile generation. The message payload data will
  # be the byte serialization of `DataProfilePubSubMessage`.
  # @!attribute [rw] topic
  #   @return [::String]
  #     Cloud Pub/Sub topic to send notifications to.
  #     Format is projects/\\{project}/topics/\\{topic}.
  # @!attribute [rw] event
  #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::EventType]
  #     The type of event that triggers a Pub/Sub. At most one
  #     `PubSubNotification` per EventType is permitted.
  # @!attribute [rw] pubsub_condition
  #   @return [::Google::Cloud::Dlp::V2::DataProfilePubSubCondition]
  #     Conditions (e.g., data risk or sensitivity level) for triggering a
  #     Pub/Sub.
  # @!attribute [rw] detail_of_message
  #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::PubSubNotification::DetailLevel]
  #     How much data to include in the Pub/Sub message. If the user wishes to
  #     limit the size of the message, they can use resource_name and fetch the
  #     profile fields they wish to. Per table profile (not per column).
  class PubSubNotification
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # The levels of detail that can be included in the Pub/Sub message.
    module DetailLevel
      # Unused.
      DETAIL_LEVEL_UNSPECIFIED = 0

      # The full table data profile.
      TABLE_PROFILE = 1

      # The name of the profiled resource.
      RESOURCE_NAME = 2

      # The full file store data profile.
      FILE_STORE_PROFILE = 3
    end
  end

  # Message expressing intention to publish to Google Security Operations.
  class PublishToChronicle
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # If set, a summary finding will be created or updated in Security Command
  # Center for each profile.
  class PublishToSecurityCommandCenter
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # If set, attaches the [tags]
  # (https://cloud.google.com/resource-manager/docs/tags/tags-overview)
  # provided to profiled resources. Tags support [access
  # control](https://cloud.google.com/iam/docs/tags-access-control). You can
  # conditionally grant or deny access to a resource based on whether the
  # resource has a specific tag.
  # @!attribute [rw] tag_conditions
  #   @return [::Array<::Google::Cloud::Dlp::V2::DataProfileAction::TagResources::TagCondition>]
  #     The tags to associate with different conditions.
  # @!attribute [rw] profile_generations_to_tag
  #   @return [::Array<::Google::Cloud::Dlp::V2::ProfileGeneration>]
  #     The profile generations for which the tag should be attached to
  #     resources. If you attach a tag to only new profiles, then if the
  #     sensitivity score of a profile subsequently changes, its tag doesn't
  #     change. By default, this field includes only new profiles. To include
  #     both new and updated profiles for tagging, this field should explicitly
  #     include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`.
  # @!attribute [rw] lower_data_risk_to_low
  #   @return [::Boolean]
  #     Whether applying a tag to a resource should lower the risk of the profile
  #     for that resource. For example, in conjunction with an [IAM deny
  #     policy](https://cloud.google.com/iam/docs/deny-overview), you can deny
  #     all principals a permission if a tag value is present, mitigating the
  #     risk of the resource. This also lowers the data risk of resources at the
  #     lower levels of the resource hierarchy. For example, reducing the data
  #     risk of a table data profile also reduces the data risk of the
  #     constituent column data profiles.
  class TagResources
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # The tag to attach to profiles matching the condition. At most one
    # `TagCondition` can be specified per sensitivity level.
    # @!attribute [rw] tag
    #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::TagResources::TagValue]
    #     The tag value to attach to resources.
    # @!attribute [rw] sensitivity_score
    #   @return [::Google::Cloud::Dlp::V2::SensitivityScore]
    #     Conditions attaching the tag to a resource on its profile having this
    #     sensitivity score.
    class TagCondition
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # A value of a tag.
    # @!attribute [rw] namespaced_value
    #   @return [::String]
    #     The namespaced name for the tag value to attach to resources. Must be
    #     in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for
    #     example, "123456/environment/prod".
    class TagValue
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # Types of event that can trigger an action.
  module EventType
    # Unused.
    EVENT_TYPE_UNSPECIFIED = 0

    # New profile (not a re-profile).
    NEW_PROFILE = 1

    # One of the following profile metrics changed: Data risk score,
    # Sensitivity score, Resource visibility, Encryption type, Predicted
    # infoTypes, Other infoTypes
    CHANGED_PROFILE = 2

    # Table data risk score or sensitivity score increased.
    SCORE_INCREASED = 3

    # A user (non-internal) error occurred.
    ERROR_CHANGED = 4
  end
end

#tag_resources ⇒ ::Google::Cloud::Dlp::V2::DataProfileAction::TagResources

Returns Tags the profiled resources with the specified tag values.

Note: The following fields are mutually exclusive: tag_resources, export_data, pub_sub_notification, publish_to_chronicle, publish_to_scc. If a field in that set is populated, all other fields in the set will automatically be cleared.

Returns:

• (::Google::Cloud::Dlp::V2::DataProfileAction::TagResources) —

  Tags the profiled resources with the specified tag values.

  Note: The following fields are mutually exclusive: tag_resources, export_data, pub_sub_notification, publish_to_chronicle, publish_to_scc. If a field in that set is populated, all other fields in the set will automatically be cleared.

# File 'proto_docs/google/privacy/dlp/v2/dlp.rb', line 4285

class DataProfileAction
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # If set, the detailed data profiles will be persisted to the location
  # of your choice whenever updated.
  # @!attribute [rw] profile_table
  #   @return [::Google::Cloud::Dlp::V2::BigQueryTable]
  #     Store all profiles to BigQuery.
  #
  #     * The system will create a new dataset and table for you if none are
  #       are provided. The dataset will be named
  #       `sensitive_data_protection_discovery` and table will be named
  #       `discovery_profiles`. This table will be placed in the same project as
  #       the container project running the scan. After the first profile is
  #       generated and the dataset and table are created, the discovery scan
  #       configuration will be updated with the dataset and table names.
  #     * See [Analyze data profiles stored in
  #     BigQuery](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles).
  #     * See [Sample queries for your BigQuery
  #     table](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles#sample_sql_queries).
  #     *  Data is inserted using [streaming
  #        insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert)
  #        and so data may be in the buffer for a period of time after the
  #        profile has finished.
  #      * The Pub/Sub notification is sent before the streaming buffer is
  #        guaranteed to be written, so data may not be instantly
  #        visible to queries by the time your topic receives the Pub/Sub
  #        notification.
  #      * The best practice is to use the same table for an entire organization
  #        so that you can take advantage of the [provided Looker
  #        reports](https://cloud.google.com/sensitive-data-protection/docs/analyze-data-profiles#use_a_premade_report).
  #        If you use VPC Service Controls to define security perimeters, then
  #        you must use a separate table for each boundary.
  # @!attribute [rw] sample_findings_table
  #   @return [::Google::Cloud::Dlp::V2::BigQueryTable]
  #     Store sample [data profile
  #     findings][google.privacy.dlp.v2.DataProfileFinding] in an existing table
  #     or a new table in an existing dataset. Each regeneration will result in
  #     new rows in BigQuery. Data is inserted using [streaming
  #     insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert)
  #     and so data may be in the buffer for a period of time after the profile
  #     has finished.
  class Export
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Send a Pub/Sub message into the given Pub/Sub topic to connect other
  # systems to data profile generation. The message payload data will
  # be the byte serialization of `DataProfilePubSubMessage`.
  # @!attribute [rw] topic
  #   @return [::String]
  #     Cloud Pub/Sub topic to send notifications to.
  #     Format is projects/\\{project}/topics/\\{topic}.
  # @!attribute [rw] event
  #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::EventType]
  #     The type of event that triggers a Pub/Sub. At most one
  #     `PubSubNotification` per EventType is permitted.
  # @!attribute [rw] pubsub_condition
  #   @return [::Google::Cloud::Dlp::V2::DataProfilePubSubCondition]
  #     Conditions (e.g., data risk or sensitivity level) for triggering a
  #     Pub/Sub.
  # @!attribute [rw] detail_of_message
  #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::PubSubNotification::DetailLevel]
  #     How much data to include in the Pub/Sub message. If the user wishes to
  #     limit the size of the message, they can use resource_name and fetch the
  #     profile fields they wish to. Per table profile (not per column).
  class PubSubNotification
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # The levels of detail that can be included in the Pub/Sub message.
    module DetailLevel
      # Unused.
      DETAIL_LEVEL_UNSPECIFIED = 0

      # The full table data profile.
      TABLE_PROFILE = 1

      # The name of the profiled resource.
      RESOURCE_NAME = 2

      # The full file store data profile.
      FILE_STORE_PROFILE = 3
    end
  end

  # Message expressing intention to publish to Google Security Operations.
  class PublishToChronicle
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # If set, a summary finding will be created or updated in Security Command
  # Center for each profile.
  class PublishToSecurityCommandCenter
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # If set, attaches the [tags]
  # (https://cloud.google.com/resource-manager/docs/tags/tags-overview)
  # provided to profiled resources. Tags support [access
  # control](https://cloud.google.com/iam/docs/tags-access-control). You can
  # conditionally grant or deny access to a resource based on whether the
  # resource has a specific tag.
  # @!attribute [rw] tag_conditions
  #   @return [::Array<::Google::Cloud::Dlp::V2::DataProfileAction::TagResources::TagCondition>]
  #     The tags to associate with different conditions.
  # @!attribute [rw] profile_generations_to_tag
  #   @return [::Array<::Google::Cloud::Dlp::V2::ProfileGeneration>]
  #     The profile generations for which the tag should be attached to
  #     resources. If you attach a tag to only new profiles, then if the
  #     sensitivity score of a profile subsequently changes, its tag doesn't
  #     change. By default, this field includes only new profiles. To include
  #     both new and updated profiles for tagging, this field should explicitly
  #     include both `PROFILE_GENERATION_NEW` and `PROFILE_GENERATION_UPDATE`.
  # @!attribute [rw] lower_data_risk_to_low
  #   @return [::Boolean]
  #     Whether applying a tag to a resource should lower the risk of the profile
  #     for that resource. For example, in conjunction with an [IAM deny
  #     policy](https://cloud.google.com/iam/docs/deny-overview), you can deny
  #     all principals a permission if a tag value is present, mitigating the
  #     risk of the resource. This also lowers the data risk of resources at the
  #     lower levels of the resource hierarchy. For example, reducing the data
  #     risk of a table data profile also reduces the data risk of the
  #     constituent column data profiles.
  class TagResources
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # The tag to attach to profiles matching the condition. At most one
    # `TagCondition` can be specified per sensitivity level.
    # @!attribute [rw] tag
    #   @return [::Google::Cloud::Dlp::V2::DataProfileAction::TagResources::TagValue]
    #     The tag value to attach to resources.
    # @!attribute [rw] sensitivity_score
    #   @return [::Google::Cloud::Dlp::V2::SensitivityScore]
    #     Conditions attaching the tag to a resource on its profile having this
    #     sensitivity score.
    class TagCondition
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # A value of a tag.
    # @!attribute [rw] namespaced_value
    #   @return [::String]
    #     The namespaced name for the tag value to attach to resources. Must be
    #     in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for
    #     example, "123456/environment/prod".
    class TagValue
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # Types of event that can trigger an action.
  module EventType
    # Unused.
    EVENT_TYPE_UNSPECIFIED = 0

    # New profile (not a re-profile).
    NEW_PROFILE = 1

    # One of the following profile metrics changed: Data risk score,
    # Sensitivity score, Resource visibility, Encryption type, Predicted
    # infoTypes, Other infoTypes
    CHANGED_PROFILE = 2

    # Table data risk score or sensitivity score increased.
    SCORE_INCREASED = 3

    # A user (non-internal) error occurred.
    ERROR_CHANGED = 4
  end
end