{
  "id": "privilegedaccessmanager:v1",
  "mtlsRootUrl": "https://privilegedaccessmanager.mtls.googleapis.com/",
  "description": "Privileged Access Manager (PAM) helps you to follow least privilege best practice to mitigate risks tied to privileged access misuse and abuse. You can shift from always-on standing privileges to on-demand access using time-bound and approval-based access elevations. IAM administrators specifically can use PAM to create entitlements that can grant temporary access to a specific resource scope. Requesters can explore eligible entitlements and request the access needed for their task, and approvers are notified when approvals require their attention. Streamlined workflows facilitated using PAM support several use cases, including the following: * Emergency access for incident responders * Time-boxed access for developers for critical deployment or maintenance * Temporary access for operators for data ingestion and audits * Temporary access to service accounts for automated tasks ",
  "batchPath": "batch",
  "discoveryVersion": "v1",
  "protocol": "rest",
  "ownerDomain": "google.com",
  "revision": "20260624",
  "kind": "discovery#restDescription",
  "name": "privilegedaccessmanager",
  "version": "v1",
  "icons": {
    "x16": "http://www.google.com/images/icons/product/search-16.gif",
    "x32": "http://www.google.com/images/icons/product/search-32.gif"
  },
  "schemas": {
    "GcpIamAccess": {
      "type": "object",
      "properties": {
        "resourceType": {
          "type": "string",
          "description": "Required. The type of this resource."
        },
        "roleBindings": {
          "description": "Required. Role bindings that are created on successful grant.",
          "items": {
            "$ref": "RoleBinding"
          },
          "type": "array"
        },
        "resource": {
          "description": "Required. Name of the resource.",
          "type": "string"
        }
      },
      "description": "`GcpIamAccess` represents IAM based access control on a Google Cloud resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM.",
      "id": "GcpIamAccess"
    },
    "SearchEntitlementsResponse": {
      "type": "object",
      "properties": {
        "entitlements": {
          "items": {
            "$ref": "Entitlement"
          },
          "type": "array",
          "description": "The list of entitlements."
        },
        "nextPageToken": {
          "type": "string",
          "description": "A token identifying a page of results the server should return."
        }
      },
      "description": "Response message for `SearchEntitlements` method.",
      "id": "SearchEntitlementsResponse"
    },
    "Event": {
      "type": "object",
      "properties": {
        "approved": {
          "$ref": "Approved",
          "description": "The grant was approved."
        },
        "withdrawn": {
          "description": "The grant was withdrawn.",
          "$ref": "Withdrawn"
        },
        "denied": {
          "$ref": "Denied",
          "description": "The grant was denied."
        },
        "ended": {
          "description": "Access given by the grant ended automatically as the approved duration was over.",
          "$ref": "Ended"
        },
        "externallyModified": {
          "$ref": "ExternallyModified",
          "description": "The policy bindings made by grant have been modified outside of PAM."
        },
        "scheduled": {
          "$ref": "Scheduled",
          "description": "The grant has been scheduled to give access."
        },
        "activated": {
          "description": "The grant was successfully activated to give access.",
          "$ref": "Activated"
        },
        "expired": {
          "$ref": "Expired",
          "description": "The approval workflow did not complete in the necessary duration, and so the grant is expired."
        },
        "requested": {
          "$ref": "Requested",
          "description": "The grant was requested."
        },
        "revoked": {
          "description": "The grant was revoked.",
          "$ref": "Revoked"
        },
        "activationFailed": {
          "description": "There was a non-retriable error while trying to give access.",
          "$ref": "ActivationFailed"
        },
        "eventTime": {
          "readOnly": true,
          "type": "string",
          "description": "Output only. The time (as recorded at server) when this event occurred.",
          "format": "google-datetime"
        }
      },
      "id": "Event",
      "description": "A single operation on the grant."
    },
    "AuditTrail": {
      "id": "AuditTrail",
      "description": "Audit trail for the access provided by this grant.",
      "type": "object",
      "properties": {
        "accessGrantTime": {
          "description": "Output only. The time at which access was given.",
          "format": "google-datetime",
          "readOnly": true,
          "type": "string"
        },
        "accessRemoveTime": {
          "readOnly": true,
          "type": "string",
          "description": "Output only. The time at which the system removed access. This could be because of an automatic expiry or because of a revocation. If unspecified, then access hasn't been removed yet.",
          "format": "google-datetime"
        }
      }
    },
    "RoleBinding": {
      "description": "IAM role bindings that are created after a successful grant.",
      "id": "RoleBinding",
      "type": "object",
      "properties": {
        "role": {
          "description": "Required. IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.",
          "type": "string"
        },
        "conditionExpression": {
          "description": "Optional. The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement is able to access the resource only if this condition evaluates to true for their request. This field uses the same CEL format as IAM and supports all attributes that IAM supports, except tags. https://cloud.google.com/iam/docs/conditions-overview#attributes.",
          "type": "string"
        }
      }
    },
    "ApproveGrantRequest": {
      "type": "object",
      "properties": {
        "reason": {
          "description": "Optional. The reason for approving this grant. This is required if the `require_approver_justification` field of the `ManualApprovals` workflow used in this grant is true.",
          "type": "string"
        }
      },
      "id": "ApproveGrantRequest",
      "description": "Request message for `ApproveGrant` method."
    },
    "OperationMetadata": {
      "type": "object",
      "properties": {
        "apiVersion": {
          "readOnly": true,
          "type": "string",
          "description": "Output only. API version used to start the operation."
        },
        "createTime": {
          "readOnly": true,
          "type": "string",
          "description": "Output only. The time the operation was created.",
          "format": "google-datetime"
        },
        "requestedCancellation": {
          "readOnly": true,
          "type": "boolean",
          "description": "Output only. Identifies whether the user has requested cancellation of the operation. Operations that have been cancelled successfully have Operation.error value with a google.rpc.Status.code of 1, corresponding to `Code.CANCELLED`."
        },
        "endTime": {
          "readOnly": true,
          "type": "string",
          "description": "Output only. The time the operation finished running.",
          "format": "google-datetime"
        },
        "verb": {
          "readOnly": true,
          "type": "string",
          "description": "Output only. Name of the verb executed by the operation."
        },
        "target": {
          "description": "Output only. Server-defined resource path for the target of the operation.",
          "readOnly": true,
          "type": "string"
        },
        "statusMessage": {
          "description": "Output only. Human-readable status of the operation, if any.",
          "readOnly": true,
          "type": "string"
        }
      },
      "id": "OperationMetadata",
      "description": "Represents the metadata of the long-running operation."
    },
    "Step": {
      "id": "Step",
      "description": "Step represents a logical step in a manual approval workflow.",
      "type": "object",
      "properties": {
        "approvers": {
          "items": {
            "$ref": "AccessControlEntry"
          },
          "type": "array",
          "description": "Optional. The potential set of approvers in this step. This list must contain at most one entry."
        },
        "approvalsNeeded": {
          "type": "integer",
          "description": "Required. How many users from the above list need to approve. If there aren't enough distinct users in the list, then the workflow indefinitely blocks. Should always be greater than 0. 1 is the only supported value.",
          "format": "int32"
        },
        "approverEmailRecipients": {
          "type": "array",
          "items": {
            "type": "string"
          },
          "description": "Optional. Additional email addresses to be notified when a grant is pending approval."
        }
      }
    },
    "Withdrawn": {
      "type": "object",
      "properties": {},
      "description": "An event representing that the grant was withdrawn.",
      "id": "Withdrawn"
    },
    "Revoked": {
      "description": "An event representing that the grant was revoked.",
      "id": "Revoked",
      "type": "object",
      "properties": {
        "reason": {
          "description": "Output only. The reason provided by the user for revoking the grant.",
          "readOnly": true,
          "type": "string"
        },
        "actor": {
          "description": "Output only. Username of the user who revoked the grant.",
          "readOnly": true,
          "type": "string"
        }
      }
    },
    "CheckOnboardingStatusResponse": {
      "id": "CheckOnboardingStatusResponse",
      "description": "Response message for `CheckOnboardingStatus` method.",
      "type": "object",
      "properties": {
        "serviceAccount": {
          "description": "The service account that PAM uses to act on this resource.",
          "type": "string"
        },
        "findings": {
          "type": "array",
          "items": {
            "$ref": "Finding"
          },
          "description": "List of issues that are preventing PAM from functioning for this resource and need to be fixed to complete onboarding. Some issues might not be detected or reported."
        }
      }
    },
    "Ended": {
      "type": "object",
      "properties": {},
      "description": "An event representing that the grant has ended.",
      "id": "Ended"
    },
    "Grant": {
      "id": "Grant",
      "description": "A grant represents a request from a user for obtaining the access specified in an entitlement they are eligible for.",
      "type": "object",
      "properties": {
        "auditTrail": {
          "description": "Output only. Audit trail of access provided by this grant. If unspecified then access was never granted.",
          "readOnly": true,
          "$ref": "AuditTrail"
        },
        "createTime": {
          "description": "Output only. Create time stamp.",
          "format": "google-datetime",
          "readOnly": true,
          "type": "string"
        },
        "requestedDuration": {
          "type": "string",
          "description": "Required. The amount of time access is needed for. This value should be shorter than the `max_request_duration` value of the entitlement.",
          "format": "google-duration"
        },
        "externallyModified": {
          "readOnly": true,
          "type": "boolean",
          "description": "Output only. Flag set by the PAM system to indicate that policy bindings made by this grant have been modified from outside PAM. After it is set, this flag remains set forever irrespective of the grant state. A `true` value here indicates that PAM no longer has any certainty on the access a user has because of this grant."
        },
        "requester": {
          "description": "Output only. Username of the user who created this grant.",
          "readOnly": true,
          "type": "string"
        },
        "timeline": {
          "readOnly": true,
          "$ref": "Timeline",
          "description": "Output only. Timeline of this grant."
        },
        "privilegedAccess": {
          "readOnly": true,
          "$ref": "PrivilegedAccess",
          "description": "Output only. The access that would be granted by this grant."
        },
        "name": {
          "description": "Identifier. Name of this grant. Possible formats: * `organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}` * `folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}` * `projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}` The last segment of this name (`{grant-id}`) is autogenerated.",
          "type": "string"
        },
        "justification": {
          "description": "Optional. Justification of why this access is needed.",
          "$ref": "Justification"
        },
        "updateTime": {
          "description": "Output only. Update time stamp.",
          "format": "google-datetime",
          "readOnly": true,
          "type": "string"
        },
        "state": {
          "enumDescriptions": [
            "Unspecified state. This value is never returned by the server.",
            "The entitlement had an approval workflow configured and this grant is waiting for the workflow to complete.",
            "The approval workflow completed with a denied result. No access is granted for this grant. This is a terminal state.",
            "The approval workflow completed successfully with an approved result or none was configured. Access is provided at an appropriate time.",
            "Access is being given.",
            "Access was successfully given and is currently active.",
            "The system could not give access due to a non-retriable error. This is a terminal state.",
            "Expired after waiting for the approval workflow to complete. This is a terminal state.",
            "Access is being revoked.",
            "Access was revoked by a user. This is a terminal state.",
            "System took back access as the requested duration was over. This is a terminal state.",
            "Access is being withdrawn.",
            "Grant was withdrawn by the grant owner. This is a terminal state."
          ],
          "readOnly": true,
          "type": "string",
          "enum": [
            "STATE_UNSPECIFIED",
            "APPROVAL_AWAITED",
            "DENIED",
            "SCHEDULED",
            "ACTIVATING",
            "ACTIVE",
            "ACTIVATION_FAILED",
            "EXPIRED",
            "REVOKING",
            "REVOKED",
            "ENDED",
            "WITHDRAWING",
            "WITHDRAWN"
          ],
          "description": "Output only. Current state of this grant."
        },
        "additionalEmailRecipients": {
          "items": {
            "type": "string"
          },
          "type": "array",
          "description": "Optional. Additional email addresses to notify for all the actions performed on the grant."
        }
      }
    },
    "Activated": {
      "description": "An event representing that the grant was successfully activated.",
      "id": "Activated",
      "type": "object",
      "properties": {}
    },
    "RevokeGrantRequest": {
      "description": "Request message for `RevokeGrant` method.",
      "id": "RevokeGrantRequest",
      "type": "object",
      "properties": {
        "reason": {
          "type": "string",
          "description": "Optional. The reason for revoking this grant."
        }
      }
    },
    "AccessControlEntry": {
      "description": "`AccessControlEntry` is used to control who can do some operation.",
      "id": "AccessControlEntry",
      "type": "object",
      "properties": {
        "principals": {
          "description": "Optional. Users who are allowed for the operation. Each entry should be a valid v1 IAM principal identifier. The format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1",
          "items": {
            "type": "string"
          },
          "type": "array"
        }
      }
    },
    "ListEntitlementsResponse": {
      "type": "object",
      "properties": {
        "entitlements": {
          "type": "array",
          "items": {
            "$ref": "Entitlement"
          },
          "description": "The list of entitlements."
        },
        "nextPageToken": {
          "type": "string",
          "description": "A token identifying a page of results the server should return."
        },
        "unreachable": {
          "type": "array",
          "items": {
            "type": "string"
          },
          "description": "Locations that could not be reached."
        }
      },
      "description": "Message for response to listing entitlements.",
      "id": "ListEntitlementsResponse"
    },
    "Approved": {
      "type": "object",
      "properties": {
        "reason": {
          "readOnly": true,
          "type": "string",
          "description": "Output only. The reason provided by the approver for approving the grant."
        },
        "actor": {
          "readOnly": true,
          "type": "string",
          "description": "Output only. Username of the user who approved the grant."
        }
      },
      "description": "An event representing that the grant was approved.",
      "id": "Approved"
    },
    "PrivilegedAccess": {
      "type": "object",
      "properties": {
        "gcpIamAccess": {
          "description": "Access to a Google Cloud resource through IAM.",
          "$ref": "GcpIamAccess"
        }
      },
      "id": "PrivilegedAccess",
      "description": "Privileged access that this service can be used to gate."
    },
    "ExternallyModified": {
      "description": "An event representing that the policy bindings made by this grant were modified externally.",
      "id": "ExternallyModified",
      "type": "object",
      "properties": {}
    },
    "Status": {
      "description": "The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors).",
      "id": "Status",
      "type": "object",
      "properties": {
        "details": {
          "description": "A list of messages that carry the error details. There is a common set of message types for APIs to use.",
          "type": "array",
          "items": {
            "type": "object",
            "additionalProperties": {
              "type": "any",
              "description": "Properties of the object. Contains field @type with type URL."
            }
          }
        },
        "message": {
          "description": "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.",
          "type": "string"
        },
        "code": {
          "description": "The status code, which should be an enum value of google.rpc.Code.",
          "format": "int32",
          "type": "integer"
        }
      }
    },
    "Operation": {
      "type": "object",
      "properties": {
        "name": {
          "type": "string",
          "description": "The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`."
        },
        "metadata": {
          "type": "object",
          "description": "Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any.",
          "additionalProperties": {
            "description": "Properties of the object. Contains field @type with type URL.",
            "type": "any"
          }
        },
        "done": {
          "description": "If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.",
          "type": "boolean"
        },
        "error": {
          "$ref": "Status",
          "description": "The error result of the operation in case of failure or cancellation."
        },
        "response": {
          "description": "The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`.",
          "additionalProperties": {
            "type": "any",
            "description": "Properties of the object. Contains field @type with type URL."
          },
          "type": "object"
        }
      },
      "id": "Operation",
      "description": "This resource represents a long-running operation that is the result of a network API call."
    },
    "CancelOperationRequest": {
      "type": "object",
      "properties": {},
      "id": "CancelOperationRequest",
      "description": "The request message for Operations.CancelOperation."
    },
    "RequesterJustificationConfig": {
      "description": "Defines how a requester must provide a justification when requesting access.",
      "id": "RequesterJustificationConfig",
      "type": "object",
      "properties": {
        "notMandatory": {
          "$ref": "NotMandatory",
          "description": "This option means the requester isn't required to provide a justification."
        },
        "unstructured": {
          "description": "This option means the requester must provide a string as justification. If this is selected, the server allows the requester to provide a justification but doesn't validate it.",
          "$ref": "Unstructured"
        }
      }
    },
    "ListOperationsResponse": {
      "type": "object",
      "properties": {
        "operations": {
          "description": "A list of operations that matches the specified filter in the request.",
          "items": {
            "$ref": "Operation"
          },
          "type": "array"
        },
        "nextPageToken": {
          "description": "The standard List next-page token.",
          "type": "string"
        },
        "unreachable": {
          "description": "Unordered list. Unreachable resources. Populated when the request sets `ListOperationsRequest.return_partial_success` and reads across collections. For example, when attempting to list all resources across all supported locations.",
          "items": {
            "type": "string"
          },
          "type": "array"
        }
      },
      "description": "The response message for Operations.ListOperations.",
      "id": "ListOperationsResponse"
    },
    "DenyGrantRequest": {
      "id": "DenyGrantRequest",
      "description": "Request message for `DenyGrant` method.",
      "type": "object",
      "properties": {
        "reason": {
          "description": "Optional. The reason for denying this grant. This is required if `require_approver_justification` field of the `ManualApprovals` workflow used in this grant is true.",
          "type": "string"
        }
      }
    },
    "Justification": {
      "type": "object",
      "properties": {
        "unstructuredJustification": {
          "description": "A free form textual justification. The system only ensures that this is not empty. No other kind of validation is performed on the string.",
          "type": "string"
        }
      },
      "id": "Justification",
      "description": "Justification represents a justification for requesting access."
    },
    "ApprovalWorkflow": {
      "description": "Different types of approval workflows that can be used to gate privileged access granting.",
      "id": "ApprovalWorkflow",
      "type": "object",
      "properties": {
        "manualApprovals": {
          "$ref": "ManualApprovals",
          "description": "An approval workflow where users designated as approvers review and act on the grants."
        }
      }
    },
    "ListGrantsResponse": {
      "type": "object",
      "properties": {
        "grants": {
          "description": "The list of grants.",
          "type": "array",
          "items": {
            "$ref": "Grant"
          }
        },
        "nextPageToken": {
          "type": "string",
          "description": "A token identifying a page of results the server should return."
        },
        "unreachable": {
          "items": {
            "type": "string"
          },
          "type": "array",
          "description": "Locations that could not be reached."
        }
      },
      "id": "ListGrantsResponse",
      "description": "Message for response to listing grants."
    },
    "IAMAccessDenied": {
      "type": "object",
      "properties": {
        "missingPermissions": {
          "type": "array",
          "items": {
            "type": "string"
          },
          "description": "List of permissions that are being denied."
        }
      },
      "description": "PAM's service account is being denied access by Cloud IAM. This can be fixed by granting a role that contains the missing permissions to the service account or exempting it from deny policies if they are blocking the access.",
      "id": "IAMAccessDenied"
    },
    "ManualApprovals": {
      "type": "object",
      "properties": {
        "requireApproverJustification": {
          "type": "boolean",
          "description": "Optional. Do the approvers need to provide a justification for their actions?"
        },
        "steps": {
          "items": {
            "$ref": "Step"
          },
          "type": "array",
          "description": "Optional. List of approval steps in this workflow. These steps are followed in the specified order sequentially. Only 1 step is supported."
        }
      },
      "id": "ManualApprovals",
      "description": "A manual approval workflow where users who are designated as approvers need to call the `ApproveGrant`/`DenyGrant` APIs for a grant. The workflow can consist of multiple serial steps where each step defines who can act as approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as: * Require an approval from any user in a group G. * Require an approval from any k number of users from a Group G. * Require an approval from any user in a group G and then from a user U. A single user might be part of the `approvers` ACL for multiple steps in this workflow, but they can only approve once and that approval is only considered to satisfy the approval step at which it was granted."
    },
    "NotMandatory": {
      "id": "NotMandatory",
      "description": "The justification is not mandatory but can be provided in any of the supported formats.",
      "type": "object",
      "properties": {}
    },
    "Denied": {
      "description": "An event representing that the grant was denied.",
      "id": "Denied",
      "type": "object",
      "properties": {
        "reason": {
          "readOnly": true,
          "type": "string",
          "description": "Output only. The reason provided by the approver for denying the grant."
        },
        "actor": {
          "readOnly": true,
          "type": "string",
          "description": "Output only. Username of the user who denied the grant."
        }
      }
    },
    "Finding": {
      "type": "object",
      "properties": {
        "iamAccessDenied": {
          "description": "PAM's service account is being denied access by Cloud IAM.",
          "$ref": "IAMAccessDenied"
        }
      },
      "id": "Finding",
      "description": "Finding represents an issue which prevents PAM from functioning properly for this resource."
    },
    "Requested": {
      "type": "object",
      "properties": {
        "expireTime": {
          "readOnly": true,
          "type": "string",
          "description": "Output only. The time at which this grant expires unless the approval workflow completes. If omitted, then the request never expires.",
          "format": "google-datetime"
        }
      },
      "id": "Requested",
      "description": "An event representing that a grant was requested."
    },
    "ActivationFailed": {
      "type": "object",
      "properties": {
        "error": {
          "readOnly": true,
          "$ref": "Status",
          "description": "Output only. The error that occurred while activating the grant."
        }
      },
      "description": "An event representing that the grant activation failed.",
      "id": "ActivationFailed"
    },
    "AdditionalNotificationTargets": {
      "id": "AdditionalNotificationTargets",
      "description": "`AdditionalNotificationTargets` includes email addresses to be notified.",
      "type": "object",
      "properties": {
        "adminEmailRecipients": {
          "items": {
            "type": "string"
          },
          "type": "array",
          "description": "Optional. Additional email addresses to be notified when a principal (requester) is granted access."
        },
        "requesterEmailRecipients": {
          "description": "Optional. Additional email address to be notified about an eligible entitlement.",
          "items": {
            "type": "string"
          },
          "type": "array"
        }
      }
    },
    "Scheduled": {
      "type": "object",
      "properties": {
        "scheduledActivationTime": {
          "readOnly": true,
          "type": "string",
          "description": "Output only. The time at which the access is granted.",
          "format": "google-datetime"
        }
      },
      "id": "Scheduled",
      "description": "An event representing that the grant has been scheduled to be activated later."
    },
    "Timeline": {
      "type": "object",
      "properties": {
        "events": {
          "readOnly": true,
          "type": "array",
          "items": {
            "$ref": "Event"
          },
          "description": "Output only. The events that have occurred on this grant. This list contains entries in the same order as they occurred. The first entry is always be of type `Requested` and there is always at least one entry in this array."
        }
      },
      "description": "Timeline of a grant describing what happened to it and when.",
      "id": "Timeline"
    },
    "Location": {
      "id": "Location",
      "description": "A resource that represents a Google Cloud location.",
      "type": "object",
      "properties": {
        "labels": {
          "type": "object",
          "description": "Cross-service attributes for the location. For example {\"cloud.googleapis.com/region\": \"us-east1\"}",
          "additionalProperties": {
            "type": "string"
          }
        },
        "locationId": {
          "type": "string",
          "description": "The canonical id for this location. For example: `\"us-east1\"`."
        },
        "name": {
          "description": "Resource name for the location, which may vary between implementations. For example: `\"projects/example-project/locations/us-east1\"`",
          "type": "string"
        },
        "metadata": {
          "type": "object",
          "description": "Service-specific metadata. For example the available capacity at the given location.",
          "additionalProperties": {
            "type": "any",
            "description": "Properties of the object. Contains field @type with type URL."
          }
        },
        "displayName": {
          "type": "string",
          "description": "The friendly name for this location, typically a nearby city name. For example, \"Tokyo\"."
        }
      }
    },
    "Expired": {
      "description": "An event representing that the grant was expired.",
      "id": "Expired",
      "type": "object",
      "properties": {}
    },
    "GoogleProtobufEmpty": {
      "description": "A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }",
      "id": "GoogleProtobufEmpty",
      "type": "object",
      "properties": {}
    },
    "ListLocationsResponse": {
      "type": "object",
      "properties": {
        "locations": {
          "description": "A list of locations that matches the specified filter in the request.",
          "items": {
            "$ref": "Location"
          },
          "type": "array"
        },
        "nextPageToken": {
          "description": "The standard List next-page token.",
          "type": "string"
        }
      },
      "id": "ListLocationsResponse",
      "description": "The response message for Locations.ListLocations."
    },
    "SearchGrantsResponse": {
      "id": "SearchGrantsResponse",
      "description": "Response message for `SearchGrants` method.",
      "type": "object",
      "properties": {
        "grants": {
          "description": "The list of grants.",
          "items": {
            "$ref": "Grant"
          },
          "type": "array"
        },
        "nextPageToken": {
          "type": "string",
          "description": "A token identifying a page of results the server should return."
        }
      }
    },
    "Unstructured": {
      "type": "object",
      "properties": {},
      "id": "Unstructured",
      "description": "The requester has to provide a justification in the form of a string."
    },
    "Entitlement": {
      "id": "Entitlement",
      "description": "An entitlement defines the eligibility of a set of users to obtain predefined access for some time possibly after going through an approval workflow.",
      "type": "object",
      "properties": {
        "additionalNotificationTargets": {
          "description": "Optional. Additional email addresses to be notified based on actions taken.",
          "$ref": "AdditionalNotificationTargets"
        },
        "createTime": {
          "description": "Output only. Create time stamp.",
          "format": "google-datetime",
          "readOnly": true,
          "type": "string"
        },
        "approvalWorkflow": {
          "description": "Optional. The approvals needed before access are granted to a requester. No approvals are needed if this field is null.",
          "$ref": "ApprovalWorkflow"
        },
        "privilegedAccess": {
          "description": "Optional. The access granted to a requester on successful approval.",
          "$ref": "PrivilegedAccess"
        },
        "eligibleUsers": {
          "type": "array",
          "items": {
            "$ref": "AccessControlEntry"
          },
          "description": "Optional. Who can create grants using this entitlement. This list should contain at most one entry."
        },
        "etag": {
          "description": "An `etag` is used for optimistic concurrency control as a way to prevent simultaneous updates to the same entitlement. An `etag` is returned in the response to `GetEntitlement` and the caller should put the `etag` in the request to `UpdateEntitlement` so that their change is applied on the same version. If this field is omitted or if there is a mismatch while updating an entitlement, then the server rejects the request.",
          "type": "string"
        },
        "name": {
          "type": "string",
          "description": "Identifier. Name of the entitlement. Possible formats: * `organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}` * `folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}` * `projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}`"
        },
        "updateTime": {
          "readOnly": true,
          "type": "string",
          "description": "Output only. Update time stamp.",
          "format": "google-datetime"
        },
        "requesterJustificationConfig": {
          "$ref": "RequesterJustificationConfig",
          "description": "Required. The manner in which the requester should provide a justification for requesting access."
        },
        "maxRequestDuration": {
          "description": "Required. The maximum amount of time that access is granted for a request. A requester can ask for a shorter duration but never a longer one. The supported range is between 30 minutes and 168 hours (7 days).",
          "format": "google-duration",
          "type": "string"
        },
        "state": {
          "readOnly": true,
          "type": "string",
          "enum": [
            "STATE_UNSPECIFIED",
            "CREATING",
            "AVAILABLE",
            "DELETING",
            "DELETED",
            "UPDATING"
          ],
          "enumDescriptions": [
            "Unspecified state. This value is never returned by the server.",
            "The entitlement is being created.",
            "The entitlement is available for requesting access.",
            "The entitlement is being deleted.",
            "The entitlement has been deleted.",
            "The entitlement is being updated."
          ],
          "description": "Output only. Current state of this entitlement."
        }
      }
    }
  },
  "version_module": true,
  "ownerName": "Google",
  "baseUrl": "https://privilegedaccessmanager.googleapis.com/",
  "canonicalName": "Privileged Access Manager",
  "documentationLink": "https://cloud.google.com/iam/docs/pam-overview",
  "parameters": {
    "alt": {
      "type": "string",
      "location": "query",
      "enum": [
        "json",
        "media",
        "proto"
      ],
      "enumDescriptions": [
        "Responses with Content-Type of application/json",
        "Media download with context-dependent Content-Type",
        "Responses with Content-Type of application/x-protobuf"
      ],
      "default": "json",
      "description": "Data format for response."
    },
    "fields": {
      "type": "string",
      "location": "query",
      "description": "Selector specifying which fields to include in a partial response."
    },
    "callback": {
      "description": "JSONP",
      "type": "string",
      "location": "query"
    },
    "uploadType": {
      "description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").",
      "type": "string",
      "location": "query"
    },
    "prettyPrint": {
      "description": "Returns response with indentations and line breaks.",
      "type": "boolean",
      "default": "true",
      "location": "query"
    },
    "access_token": {
      "description": "OAuth access token.",
      "type": "string",
      "location": "query"
    },
    "quotaUser": {
      "type": "string",
      "location": "query",
      "description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters."
    },
    "$.xgafv": {
      "type": "string",
      "location": "query",
      "enum": [
        "1",
        "2"
      ],
      "enumDescriptions": [
        "v1 error format",
        "v2 error format"
      ],
      "description": "V1 error format."
    },
    "upload_protocol": {
      "description": "Upload protocol for media (e.g. \"raw\", \"multipart\").",
      "type": "string",
      "location": "query"
    },
    "oauth_token": {
      "description": "OAuth 2.0 token for the current user.",
      "type": "string",
      "location": "query"
    },
    "key": {
      "description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.",
      "type": "string",
      "location": "query"
    }
  },
  "title": "Privileged Access Manager API",
  "auth": {
    "oauth2": {
      "scopes": {
        "https://www.googleapis.com/auth/cloud-platform": {
          "description": "See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account."
        }
      }
    }
  },
  "rootUrl": "https://privilegedaccessmanager.googleapis.com/",
  "fullyEncodeReservedExpansion": true,
  "resources": {
    "folders": {
      "resources": {
        "locations": {
          "methods": {
            "checkOnboardingStatus": {
              "scopes": [
                "https://www.googleapis.com/auth/cloud-platform"
              ],
              "response": {
                "$ref": "CheckOnboardingStatusResponse"
              },
              "path": "v1/{+parent}:checkOnboardingStatus",
              "description": "`CheckOnboardingStatus` reports the onboarding status for a project, folder, or organization. Any findings reported by this API need to be fixed before PAM can be used on the resource.",
              "parameters": {
                "parent": {
                  "description": "Required. The resource for which the onboarding status should be checked. Should be in one of the following formats: * `projects/{project-number|project-id}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `organizations/{organization-number}/locations/{region}`",
                  "required": true,
                  "pattern": "^folders/[^/]+/locations/[^/]+$",
                  "location": "path",
                  "type": "string"
                }
              },
              "flatPath": "v1/folders/{foldersId}/locations/{locationsId}:checkOnboardingStatus",
              "httpMethod": "GET",
              "id": "privilegedaccessmanager.folders.locations.checkOnboardingStatus",
              "parameterOrder": [
                "parent"
              ]
            },
            "list": {
              "httpMethod": "GET",
              "id": "privilegedaccessmanager.folders.locations.list",
              "parameterOrder": [
                "name"
              ],
              "flatPath": "v1/folders/{foldersId}/locations",
              "path": "v1/{+name}/locations",
              "description": "Lists information about the supported locations for this service. This method lists locations based on the resource scope provided in the ListLocationsRequest.name field: * **Global locations**: If `name` is empty, the method lists the public locations available to all projects. * **Project-specific locations**: If `name` follows the format `projects/{project}`, the method lists locations visible to that specific project. This includes public, private, or other project-specific locations enabled for the project. For gRPC and client library implementations, the resource name is passed as the `name` field. For direct service calls, the resource name is incorporated into the request path based on the specific service implementation and version.",
              "parameters": {
                "pageToken": {
                  "description": "A page token received from the `next_page_token` field in the response. Send that page token to receive the subsequent page.",
                  "location": "query",
                  "type": "string"
                },
                "filter": {
                  "description": "A filter to narrow down results to a preferred subset. The filtering language accepts strings like `\"displayName=tokyo\"`, and is documented in more detail in [AIP-160](https://google.aip.dev/160).",
                  "location": "query",
                  "type": "string"
                },
                "extraLocationTypes": {
                  "location": "query",
                  "repeated": true,
                  "type": "string",
                  "description": "Optional. Do not use this field unless explicitly documented otherwise. This is primarily for internal usage."
                },
                "pageSize": {
                  "location": "query",
                  "type": "integer",
                  "description": "The maximum number of results to return. If not set, the service selects a default.",
                  "format": "int32"
                },
                "name": {
                  "pattern": "^folders/[^/]+$",
                  "required": true,
                  "description": "The resource that owns the locations collection, if applicable.",
                  "location": "path",
                  "type": "string"
                }
              },
              "response": {
                "$ref": "ListLocationsResponse"
              },
              "scopes": [
                "https://www.googleapis.com/auth/cloud-platform"
              ]
            },
            "get": {
              "scopes": [
                "https://www.googleapis.com/auth/cloud-platform"
              ],
              "flatPath": "v1/folders/{foldersId}/locations/{locationsId}",
              "id": "privilegedaccessmanager.folders.locations.get",
              "parameterOrder": [
                "name"
              ],
              "httpMethod": "GET",
              "response": {
                "$ref": "Location"
              },
              "parameters": {
                "name": {
                  "location": "path",
                  "type": "string",
                  "description": "Resource name for the location.",
                  "required": true,
                  "pattern": "^folders/[^/]+/locations/[^/]+$"
                }
              },
              "path": "v1/{+name}",
              "description": "Gets information about a location."
            }
          },
          "resources": {
            "operations": {
              "methods": {
                "list": {
                  "path": "v1/{+name}/operations",
                  "description": "Lists operations that match the specified filter in the request. If the server doesn't support this method, it returns `UNIMPLEMENTED`.",
                  "parameters": {
                    "filter": {
                      "description": "The standard list filter.",
                      "location": "query",
                      "type": "string"
                    },
                    "returnPartialSuccess": {
                      "location": "query",
                      "type": "boolean",
                      "description": "When set to `true`, operations that are reachable are returned as normal, and those that are unreachable are returned in the ListOperationsResponse.unreachable field. This can only be `true` when reading across collections. For example, when `parent` is set to `\"projects/example/locations/-\"`. This field is not supported by default and will result in an `UNIMPLEMENTED` error if set unless explicitly documented otherwise in service or product specific documentation."
                    },
                    "pageToken": {
                      "description": "The standard list page token.",
                      "location": "query",
                      "type": "string"
                    },
                    "name": {
                      "description": "The name of the operation's parent resource.",
                      "required": true,
                      "pattern": "^folders/[^/]+/locations/[^/]+$",
                      "location": "path",
                      "type": "string"
                    },
                    "pageSize": {
                      "location": "query",
                      "type": "integer",
                      "description": "The standard list page size.",
                      "format": "int32"
                    }
                  },
                  "response": {
                    "$ref": "ListOperationsResponse"
                  },
                  "httpMethod": "GET",
                  "id": "privilegedaccessmanager.folders.locations.operations.list",
                  "parameterOrder": [
                    "name"
                  ],
                  "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/operations",
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                },
                "get": {
                  "response": {
                    "$ref": "Operation"
                  },
                  "path": "v1/{+name}",
                  "description": "Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.",
                  "parameters": {
                    "name": {
                      "location": "path",
                      "type": "string",
                      "description": "The name of the operation resource.",
                      "required": true,
                      "pattern": "^folders/[^/]+/locations/[^/]+/operations/[^/]+$"
                    }
                  },
                  "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/operations/{operationsId}",
                  "httpMethod": "GET",
                  "id": "privilegedaccessmanager.folders.locations.operations.get",
                  "parameterOrder": [
                    "name"
                  ],
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                },
                "delete": {
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ],
                  "response": {
                    "$ref": "GoogleProtobufEmpty"
                  },
                  "parameters": {
                    "name": {
                      "location": "path",
                      "type": "string",
                      "required": true,
                      "pattern": "^folders/[^/]+/locations/[^/]+/operations/[^/]+$",
                      "description": "The name of the operation resource to be deleted."
                    }
                  },
                  "path": "v1/{+name}",
                  "description": "Deletes a long-running operation. This method indicates that the client is no longer interested in the operation result. It does not cancel the operation. If the server doesn't support this method, it returns `google.rpc.Code.UNIMPLEMENTED`.",
                  "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/operations/{operationsId}",
                  "id": "privilegedaccessmanager.folders.locations.operations.delete",
                  "parameterOrder": [
                    "name"
                  ],
                  "httpMethod": "DELETE"
                }
              }
            },
            "entitlements": {
              "methods": {
                "search": {
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ],
                  "httpMethod": "GET",
                  "id": "privilegedaccessmanager.folders.locations.entitlements.search",
                  "parameterOrder": [
                    "parent"
                  ],
                  "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/entitlements:search",
                  "path": "v1/{+parent}/entitlements:search",
                  "description": "`SearchEntitlements` returns entitlements on which the caller has the specified access.",
                  "parameters": {
                    "pageToken": {
                      "description": "Optional. A token identifying a page of results the server should return.",
                      "location": "query",
                      "type": "string"
                    },
                    "filter": {
                      "location": "query",
                      "type": "string",
                      "description": "Optional. Only entitlements matching this filter are returned in the response."
                    },
                    "pageSize": {
                      "location": "query",
                      "type": "integer",
                      "description": "Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default.",
                      "format": "int32"
                    },
                    "parent": {
                      "location": "path",
                      "type": "string",
                      "pattern": "^folders/[^/]+/locations/[^/]+$",
                      "required": true,
                      "description": "Required. The parent which owns the entitlement resources."
                    },
                    "callerAccessType": {
                      "description": "Required. Only entitlements where the calling user has this access are returned.",
                      "enumDescriptions": [
                        "Unspecified access type.",
                        "The user has access to create grants using this entitlement.",
                        "The user has access to approve/deny grants created under this entitlement."
                      ],
                      "enum": [
                        "CALLER_ACCESS_TYPE_UNSPECIFIED",
                        "GRANT_REQUESTER",
                        "GRANT_APPROVER"
                      ],
                      "location": "query",
                      "type": "string"
                    }
                  },
                  "response": {
                    "$ref": "SearchEntitlementsResponse"
                  }
                },
                "list": {
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ],
                  "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/entitlements",
                  "id": "privilegedaccessmanager.folders.locations.entitlements.list",
                  "parameterOrder": [
                    "parent"
                  ],
                  "httpMethod": "GET",
                  "response": {
                    "$ref": "ListEntitlementsResponse"
                  },
                  "parameters": {
                    "filter": {
                      "description": "Optional. Filtering results.",
                      "location": "query",
                      "type": "string"
                    },
                    "pageToken": {
                      "description": "Optional. A token identifying a page of results the server should return.",
                      "location": "query",
                      "type": "string"
                    },
                    "orderBy": {
                      "location": "query",
                      "type": "string",
                      "description": "Optional. Hint for how to order the results."
                    },
                    "parent": {
                      "description": "Required. The parent which owns the entitlement resources.",
                      "required": true,
                      "pattern": "^folders/[^/]+/locations/[^/]+$",
                      "location": "path",
                      "type": "string"
                    },
                    "pageSize": {
                      "description": "Optional. Requested page size. Server may return fewer items than requested. If unspecified, the server picks an appropriate default.",
                      "format": "int32",
                      "location": "query",
                      "type": "integer"
                    }
                  },
                  "path": "v1/{+parent}/entitlements",
                  "description": "Lists the entitlements in a given project, folder, organization, and in a given location."
                },
                "get": {
                  "parameters": {
                    "name": {
                      "location": "path",
                      "type": "string",
                      "description": "Required. Name of the resource.",
                      "required": true,
                      "pattern": "^folders/[^/]+/locations/[^/]+/entitlements/[^/]+$"
                    }
                  },
                  "path": "v1/{+name}",
                  "description": "Gets details of a single entitlement.",
                  "response": {
                    "$ref": "Entitlement"
                  },
                  "id": "privilegedaccessmanager.folders.locations.entitlements.get",
                  "parameterOrder": [
                    "name"
                  ],
                  "httpMethod": "GET",
                  "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/entitlements/{entitlementsId}",
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                },
                "create": {
                  "request": {
                    "$ref": "Entitlement"
                  },
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ],
                  "parameters": {
                    "parent": {
                      "required": true,
                      "pattern": "^folders/[^/]+/locations/[^/]+$",
                      "description": "Required. Name of the parent resource for the entitlement. Possible formats: * `organizations/{organization-number}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `projects/{project-id|project-number}/locations/{region}`",
                      "location": "path",
                      "type": "string"
                    },
                    "entitlementId": {
                      "description": "Required. The ID to use for this entitlement. This becomes the last part of the resource name. This value should be 4-63 characters in length, and valid characters are \"[a-z]\", \"[0-9]\", and \"-\". The first character should be from [a-z]. This value should be unique among all other entitlements under the specified `parent`.",
                      "location": "query",
                      "type": "string"
                    },
                    "requestId": {
                      "location": "query",
                      "type": "string",
                      "description": "Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request and returns the previous operation's response. This prevents clients from accidentally creating duplicate entitlements. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000)."
                    }
                  },
                  "path": "v1/{+parent}/entitlements",
                  "description": "Creates a new entitlement in a given project, folder, organization, and in a given location.",
                  "response": {
                    "$ref": "Operation"
                  },
                  "id": "privilegedaccessmanager.folders.locations.entitlements.create",
                  "parameterOrder": [
                    "parent"
                  ],
                  "httpMethod": "POST",
                  "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/entitlements"
                },
                "delete": {
                  "path": "v1/{+name}",
                  "description": "Deletes a single entitlement. This method can only be called when there are no in-progress (`ACTIVE`/`ACTIVATING`/`REVOKING`) grants under the entitlement.",
                  "parameters": {
                    "name": {
                      "location": "path",
                      "type": "string",
                      "description": "Required. Name of the resource.",
                      "required": true,
                      "pattern": "^folders/[^/]+/locations/[^/]+/entitlements/[^/]+$"
                    },
                    "force": {
                      "description": "Optional. If set to true, any child grant under this entitlement is also deleted. (Otherwise, the request only works if the entitlement has no child grant.)",
                      "location": "query",
                      "type": "boolean"
                    },
                    "requestId": {
                      "description": "Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).",
                      "location": "query",
                      "type": "string"
                    }
                  },
                  "response": {
                    "$ref": "Operation"
                  },
                  "httpMethod": "DELETE",
                  "id": "privilegedaccessmanager.folders.locations.entitlements.delete",
                  "parameterOrder": [
                    "name"
                  ],
                  "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/entitlements/{entitlementsId}",
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                },
                "patch": {
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ],
                  "request": {
                    "$ref": "Entitlement"
                  },
                  "id": "privilegedaccessmanager.folders.locations.entitlements.patch",
                  "parameterOrder": [
                    "name"
                  ],
                  "httpMethod": "PATCH",
                  "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/entitlements/{entitlementsId}",
                  "parameters": {
                    "name": {
                      "required": true,
                      "pattern": "^folders/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                      "description": "Identifier. Name of the entitlement. Possible formats: * `organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}` * `folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}` * `projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}`",
                      "location": "path",
                      "type": "string"
                    },
                    "updateMask": {
                      "location": "query",
                      "type": "string",
                      "description": "Required. The list of fields to update. A field is overwritten if, and only if, it is in the mask. Any immutable fields set in the mask are ignored by the server. Repeated fields and map fields are only allowed in the last position of a `paths` string and overwrite the existing values. Hence an update to a repeated field or a map should contain the entire list of values. The fields specified in the update_mask are relative to the resource and not to the request. (e.g. `MaxRequestDuration`; *not* `entitlement.MaxRequestDuration`) A value of '*' for this field refers to full replacement of the resource.",
                      "format": "google-fieldmask"
                    }
                  },
                  "path": "v1/{+name}",
                  "description": "Updates the entitlement specified in the request. Updated fields in the entitlement need to be specified in an update mask. The changes made to an entitlement are applicable only on future grants of the entitlement. However, if new approvers are added or existing approvers are removed from the approval workflow, the changes are effective on existing grants. The following fields are not supported for updates: * All immutable fields * Entitlement name * Resource name * Resource type * Adding an approval workflow in an entitlement which previously had no approval workflow. * Deleting the approval workflow from an entitlement. * Adding or deleting a step in the approval workflow (only one step is supported) Note that updates are allowed on the list of approvers in an approval workflow step.",
                  "response": {
                    "$ref": "Operation"
                  }
                }
              },
              "resources": {
                "grants": {
                  "methods": {
                    "approve": {
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ],
                      "request": {
                        "$ref": "ApproveGrantRequest"
                      },
                      "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/entitlements/{entitlementsId}/grants/{grantsId}:approve",
                      "httpMethod": "POST",
                      "id": "privilegedaccessmanager.folders.locations.entitlements.grants.approve",
                      "parameterOrder": [
                        "name"
                      ],
                      "response": {
                        "$ref": "Grant"
                      },
                      "path": "v1/{+name}:approve",
                      "description": "`ApproveGrant` is used to approve a grant. This method can only be called on a grant when it's in the `APPROVAL_AWAITED` state. This operation can't be undone.",
                      "parameters": {
                        "name": {
                          "description": "Required. Name of the grant resource which is being approved.",
                          "required": true,
                          "pattern": "^folders/[^/]+/locations/[^/]+/entitlements/[^/]+/grants/[^/]+$",
                          "location": "path",
                          "type": "string"
                        }
                      }
                    },
                    "search": {
                      "response": {
                        "$ref": "SearchGrantsResponse"
                      },
                      "parameters": {
                        "pageSize": {
                          "description": "Optional. Requested page size. The server may return fewer items than requested. If unspecified, server picks an appropriate default.",
                          "format": "int32",
                          "location": "query",
                          "type": "integer"
                        },
                        "callerRelationship": {
                          "description": "Required. Only grants which the caller is related to by this relationship are returned in the response.",
                          "enum": [
                            "CALLER_RELATIONSHIP_TYPE_UNSPECIFIED",
                            "HAD_CREATED",
                            "CAN_APPROVE",
                            "HAD_APPROVED"
                          ],
                          "location": "query",
                          "type": "string",
                          "enumDescriptions": [
                            "Unspecified caller relationship type.",
                            "The user created this grant by calling `CreateGrant` earlier.",
                            "The user is an approver for the entitlement that this grant is parented under and can currently approve/deny it.",
                            "The caller had successfully approved/denied this grant earlier."
                          ]
                        },
                        "parent": {
                          "description": "Required. The parent which owns the grant resources.",
                          "required": true,
                          "pattern": "^folders/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                          "location": "path",
                          "type": "string"
                        },
                        "pageToken": {
                          "description": "Optional. A token identifying a page of results the server should return.",
                          "location": "query",
                          "type": "string"
                        },
                        "filter": {
                          "location": "query",
                          "type": "string",
                          "description": "Optional. Only grants matching this filter are returned in the response."
                        }
                      },
                      "path": "v1/{+parent}/grants:search",
                      "description": "`SearchGrants` returns grants that are related to the calling user in the specified way.",
                      "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/entitlements/{entitlementsId}/grants:search",
                      "id": "privilegedaccessmanager.folders.locations.entitlements.grants.search",
                      "parameterOrder": [
                        "parent"
                      ],
                      "httpMethod": "GET",
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ]
                    },
                    "deny": {
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ],
                      "request": {
                        "$ref": "DenyGrantRequest"
                      },
                      "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/entitlements/{entitlementsId}/grants/{grantsId}:deny",
                      "httpMethod": "POST",
                      "id": "privilegedaccessmanager.folders.locations.entitlements.grants.deny",
                      "parameterOrder": [
                        "name"
                      ],
                      "response": {
                        "$ref": "Grant"
                      },
                      "path": "v1/{+name}:deny",
                      "description": "`DenyGrant` is used to deny a grant. This method can only be called on a grant when it's in the `APPROVAL_AWAITED` state. This operation can't be undone.",
                      "parameters": {
                        "name": {
                          "location": "path",
                          "type": "string",
                          "pattern": "^folders/[^/]+/locations/[^/]+/entitlements/[^/]+/grants/[^/]+$",
                          "required": true,
                          "description": "Required. Name of the grant resource which is being denied."
                        }
                      }
                    },
                    "list": {
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ],
                      "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/entitlements/{entitlementsId}/grants",
                      "id": "privilegedaccessmanager.folders.locations.entitlements.grants.list",
                      "parameterOrder": [
                        "parent"
                      ],
                      "httpMethod": "GET",
                      "response": {
                        "$ref": "ListGrantsResponse"
                      },
                      "parameters": {
                        "parent": {
                          "location": "path",
                          "type": "string",
                          "required": true,
                          "pattern": "^folders/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                          "description": "Required. The parent resource which owns the grants."
                        },
                        "pageSize": {
                          "description": "Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default.",
                          "format": "int32",
                          "location": "query",
                          "type": "integer"
                        },
                        "filter": {
                          "location": "query",
                          "type": "string",
                          "description": "Optional. Filtering results."
                        },
                        "pageToken": {
                          "location": "query",
                          "type": "string",
                          "description": "Optional. A token identifying a page of results the server should return."
                        },
                        "orderBy": {
                          "description": "Optional. Hint for how to order the results",
                          "location": "query",
                          "type": "string"
                        }
                      },
                      "path": "v1/{+parent}/grants",
                      "description": "Lists grants for a given entitlement."
                    },
                    "revoke": {
                      "request": {
                        "$ref": "RevokeGrantRequest"
                      },
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ],
                      "response": {
                        "$ref": "Operation"
                      },
                      "parameters": {
                        "name": {
                          "required": true,
                          "pattern": "^folders/[^/]+/locations/[^/]+/entitlements/[^/]+/grants/[^/]+$",
                          "description": "Required. Name of the grant resource which is being revoked.",
                          "location": "path",
                          "type": "string"
                        }
                      },
                      "path": "v1/{+name}:revoke",
                      "description": "`RevokeGrant` is used to immediately revoke access for a grant. This method can be called when the grant is in a non-terminal state.",
                      "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/entitlements/{entitlementsId}/grants/{grantsId}:revoke",
                      "id": "privilegedaccessmanager.folders.locations.entitlements.grants.revoke",
                      "parameterOrder": [
                        "name"
                      ],
                      "httpMethod": "POST"
                    },
                    "get": {
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ],
                      "path": "v1/{+name}",
                      "description": "Get details of a single grant.",
                      "parameters": {
                        "name": {
                          "description": "Required. Name of the resource.",
                          "required": true,
                          "pattern": "^folders/[^/]+/locations/[^/]+/entitlements/[^/]+/grants/[^/]+$",
                          "location": "path",
                          "type": "string"
                        }
                      },
                      "response": {
                        "$ref": "Grant"
                      },
                      "httpMethod": "GET",
                      "id": "privilegedaccessmanager.folders.locations.entitlements.grants.get",
                      "parameterOrder": [
                        "name"
                      ],
                      "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/entitlements/{entitlementsId}/grants/{grantsId}"
                    },
                    "create": {
                      "parameters": {
                        "requestId": {
                          "description": "Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. This prevents clients from accidentally creating duplicate grants. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).",
                          "location": "query",
                          "type": "string"
                        },
                        "parent": {
                          "location": "path",
                          "type": "string",
                          "description": "Required. Name of the parent entitlement for which this grant is being requested.",
                          "pattern": "^folders/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                          "required": true
                        }
                      },
                      "path": "v1/{+parent}/grants",
                      "description": "Creates a grant in a given project, folder, or organization and location.",
                      "response": {
                        "$ref": "Grant"
                      },
                      "id": "privilegedaccessmanager.folders.locations.entitlements.grants.create",
                      "parameterOrder": [
                        "parent"
                      ],
                      "httpMethod": "POST",
                      "flatPath": "v1/folders/{foldersId}/locations/{locationsId}/entitlements/{entitlementsId}/grants",
                      "request": {
                        "$ref": "Grant"
                      },
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ]
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "operations": {
      "methods": {
        "cancel": {
          "response": {
            "$ref": "GoogleProtobufEmpty"
          },
          "path": "v1/{+name}:cancel",
          "description": "Starts asynchronous cancellation on a long-running operation. The server makes a best effort to cancel the operation, but success is not guaranteed. If the server doesn't support this method, it returns `google.rpc.Code.UNIMPLEMENTED`. Clients can use Operations.GetOperation or other methods to check whether the cancellation succeeded or whether the operation completed despite cancellation. On successful cancellation, the operation is not deleted; instead, it becomes an operation with an Operation.error value with a google.rpc.Status.code of `1`, corresponding to `Code.CANCELLED`.",
          "parameters": {
            "name": {
              "location": "path",
              "type": "string",
              "description": "The name of the operation resource to be cancelled.",
              "pattern": "^operations/.*$",
              "required": true
            }
          },
          "flatPath": "v1/operations/{operationsId}:cancel",
          "httpMethod": "POST",
          "id": "privilegedaccessmanager.operations.cancel",
          "parameterOrder": [
            "name"
          ],
          "request": {
            "$ref": "CancelOperationRequest"
          },
          "scopes": [
            "https://www.googleapis.com/auth/cloud-platform"
          ]
        }
      }
    },
    "projects": {
      "resources": {
        "locations": {
          "methods": {
            "checkOnboardingStatus": {
              "flatPath": "v1/projects/{projectsId}/locations/{locationsId}:checkOnboardingStatus",
              "httpMethod": "GET",
              "id": "privilegedaccessmanager.projects.locations.checkOnboardingStatus",
              "parameterOrder": [
                "parent"
              ],
              "response": {
                "$ref": "CheckOnboardingStatusResponse"
              },
              "path": "v1/{+parent}:checkOnboardingStatus",
              "description": "`CheckOnboardingStatus` reports the onboarding status for a project, folder, or organization. Any findings reported by this API need to be fixed before PAM can be used on the resource.",
              "parameters": {
                "parent": {
                  "location": "path",
                  "type": "string",
                  "pattern": "^projects/[^/]+/locations/[^/]+$",
                  "required": true,
                  "description": "Required. The resource for which the onboarding status should be checked. Should be in one of the following formats: * `projects/{project-number|project-id}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `organizations/{organization-number}/locations/{region}`"
                }
              },
              "scopes": [
                "https://www.googleapis.com/auth/cloud-platform"
              ]
            },
            "list": {
              "scopes": [
                "https://www.googleapis.com/auth/cloud-platform"
              ],
              "flatPath": "v1/projects/{projectsId}/locations",
              "id": "privilegedaccessmanager.projects.locations.list",
              "parameterOrder": [
                "name"
              ],
              "httpMethod": "GET",
              "response": {
                "$ref": "ListLocationsResponse"
              },
              "parameters": {
                "pageToken": {
                  "location": "query",
                  "type": "string",
                  "description": "A page token received from the `next_page_token` field in the response. Send that page token to receive the subsequent page."
                },
                "filter": {
                  "location": "query",
                  "type": "string",
                  "description": "A filter to narrow down results to a preferred subset. The filtering language accepts strings like `\"displayName=tokyo\"`, and is documented in more detail in [AIP-160](https://google.aip.dev/160)."
                },
                "pageSize": {
                  "location": "query",
                  "type": "integer",
                  "description": "The maximum number of results to return. If not set, the service selects a default.",
                  "format": "int32"
                },
                "extraLocationTypes": {
                  "description": "Optional. Do not use this field unless explicitly documented otherwise. This is primarily for internal usage.",
                  "location": "query",
                  "repeated": true,
                  "type": "string"
                },
                "name": {
                  "location": "path",
                  "type": "string",
                  "pattern": "^projects/[^/]+$",
                  "required": true,
                  "description": "The resource that owns the locations collection, if applicable."
                }
              },
              "path": "v1/{+name}/locations",
              "description": "Lists information about the supported locations for this service. This method lists locations based on the resource scope provided in the ListLocationsRequest.name field: * **Global locations**: If `name` is empty, the method lists the public locations available to all projects. * **Project-specific locations**: If `name` follows the format `projects/{project}`, the method lists locations visible to that specific project. This includes public, private, or other project-specific locations enabled for the project. For gRPC and client library implementations, the resource name is passed as the `name` field. For direct service calls, the resource name is incorporated into the request path based on the specific service implementation and version."
            },
            "get": {
              "scopes": [
                "https://www.googleapis.com/auth/cloud-platform"
              ],
              "id": "privilegedaccessmanager.projects.locations.get",
              "parameterOrder": [
                "name"
              ],
              "httpMethod": "GET",
              "flatPath": "v1/projects/{projectsId}/locations/{locationsId}",
              "parameters": {
                "name": {
                  "pattern": "^projects/[^/]+/locations/[^/]+$",
                  "required": true,
                  "description": "Resource name for the location.",
                  "location": "path",
                  "type": "string"
                }
              },
              "path": "v1/{+name}",
              "description": "Gets information about a location.",
              "response": {
                "$ref": "Location"
              }
            }
          },
          "resources": {
            "operations": {
              "methods": {
                "list": {
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ],
                  "path": "v1/{+name}/operations",
                  "description": "Lists operations that match the specified filter in the request. If the server doesn't support this method, it returns `UNIMPLEMENTED`.",
                  "parameters": {
                    "filter": {
                      "description": "The standard list filter.",
                      "location": "query",
                      "type": "string"
                    },
                    "returnPartialSuccess": {
                      "location": "query",
                      "type": "boolean",
                      "description": "When set to `true`, operations that are reachable are returned as normal, and those that are unreachable are returned in the ListOperationsResponse.unreachable field. This can only be `true` when reading across collections. For example, when `parent` is set to `\"projects/example/locations/-\"`. This field is not supported by default and will result in an `UNIMPLEMENTED` error if set unless explicitly documented otherwise in service or product specific documentation."
                    },
                    "pageToken": {
                      "description": "The standard list page token.",
                      "location": "query",
                      "type": "string"
                    },
                    "name": {
                      "pattern": "^projects/[^/]+/locations/[^/]+$",
                      "required": true,
                      "description": "The name of the operation's parent resource.",
                      "location": "path",
                      "type": "string"
                    },
                    "pageSize": {
                      "location": "query",
                      "type": "integer",
                      "description": "The standard list page size.",
                      "format": "int32"
                    }
                  },
                  "response": {
                    "$ref": "ListOperationsResponse"
                  },
                  "httpMethod": "GET",
                  "id": "privilegedaccessmanager.projects.locations.operations.list",
                  "parameterOrder": [
                    "name"
                  ],
                  "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/operations"
                },
                "get": {
                  "httpMethod": "GET",
                  "id": "privilegedaccessmanager.projects.locations.operations.get",
                  "parameterOrder": [
                    "name"
                  ],
                  "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/operations/{operationsId}",
                  "path": "v1/{+name}",
                  "description": "Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.",
                  "parameters": {
                    "name": {
                      "location": "path",
                      "type": "string",
                      "description": "The name of the operation resource.",
                      "required": true,
                      "pattern": "^projects/[^/]+/locations/[^/]+/operations/[^/]+$"
                    }
                  },
                  "response": {
                    "$ref": "Operation"
                  },
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                },
                "delete": {
                  "response": {
                    "$ref": "GoogleProtobufEmpty"
                  },
                  "parameters": {
                    "name": {
                      "location": "path",
                      "type": "string",
                      "description": "The name of the operation resource to be deleted.",
                      "pattern": "^projects/[^/]+/locations/[^/]+/operations/[^/]+$",
                      "required": true
                    }
                  },
                  "path": "v1/{+name}",
                  "description": "Deletes a long-running operation. This method indicates that the client is no longer interested in the operation result. It does not cancel the operation. If the server doesn't support this method, it returns `google.rpc.Code.UNIMPLEMENTED`.",
                  "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/operations/{operationsId}",
                  "id": "privilegedaccessmanager.projects.locations.operations.delete",
                  "parameterOrder": [
                    "name"
                  ],
                  "httpMethod": "DELETE",
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                }
              }
            },
            "entitlements": {
              "methods": {
                "list": {
                  "httpMethod": "GET",
                  "id": "privilegedaccessmanager.projects.locations.entitlements.list",
                  "parameterOrder": [
                    "parent"
                  ],
                  "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/entitlements",
                  "path": "v1/{+parent}/entitlements",
                  "description": "Lists the entitlements in a given project, folder, organization, and in a given location.",
                  "parameters": {
                    "pageSize": {
                      "location": "query",
                      "type": "integer",
                      "description": "Optional. Requested page size. Server may return fewer items than requested. If unspecified, the server picks an appropriate default.",
                      "format": "int32"
                    },
                    "parent": {
                      "description": "Required. The parent which owns the entitlement resources.",
                      "required": true,
                      "pattern": "^projects/[^/]+/locations/[^/]+$",
                      "location": "path",
                      "type": "string"
                    },
                    "pageToken": {
                      "location": "query",
                      "type": "string",
                      "description": "Optional. A token identifying a page of results the server should return."
                    },
                    "orderBy": {
                      "location": "query",
                      "type": "string",
                      "description": "Optional. Hint for how to order the results."
                    },
                    "filter": {
                      "location": "query",
                      "type": "string",
                      "description": "Optional. Filtering results."
                    }
                  },
                  "response": {
                    "$ref": "ListEntitlementsResponse"
                  },
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                },
                "search": {
                  "id": "privilegedaccessmanager.projects.locations.entitlements.search",
                  "parameterOrder": [
                    "parent"
                  ],
                  "httpMethod": "GET",
                  "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/entitlements:search",
                  "parameters": {
                    "pageToken": {
                      "location": "query",
                      "type": "string",
                      "description": "Optional. A token identifying a page of results the server should return."
                    },
                    "filter": {
                      "location": "query",
                      "type": "string",
                      "description": "Optional. Only entitlements matching this filter are returned in the response."
                    },
                    "pageSize": {
                      "description": "Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default.",
                      "format": "int32",
                      "location": "query",
                      "type": "integer"
                    },
                    "parent": {
                      "description": "Required. The parent which owns the entitlement resources.",
                      "pattern": "^projects/[^/]+/locations/[^/]+$",
                      "required": true,
                      "location": "path",
                      "type": "string"
                    },
                    "callerAccessType": {
                      "description": "Required. Only entitlements where the calling user has this access are returned.",
                      "enumDescriptions": [
                        "Unspecified access type.",
                        "The user has access to create grants using this entitlement.",
                        "The user has access to approve/deny grants created under this entitlement."
                      ],
                      "enum": [
                        "CALLER_ACCESS_TYPE_UNSPECIFIED",
                        "GRANT_REQUESTER",
                        "GRANT_APPROVER"
                      ],
                      "location": "query",
                      "type": "string"
                    }
                  },
                  "path": "v1/{+parent}/entitlements:search",
                  "description": "`SearchEntitlements` returns entitlements on which the caller has the specified access.",
                  "response": {
                    "$ref": "SearchEntitlementsResponse"
                  },
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                },
                "get": {
                  "response": {
                    "$ref": "Entitlement"
                  },
                  "parameters": {
                    "name": {
                      "required": true,
                      "pattern": "^projects/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                      "description": "Required. Name of the resource.",
                      "location": "path",
                      "type": "string"
                    }
                  },
                  "path": "v1/{+name}",
                  "description": "Gets details of a single entitlement.",
                  "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/entitlements/{entitlementsId}",
                  "id": "privilegedaccessmanager.projects.locations.entitlements.get",
                  "parameterOrder": [
                    "name"
                  ],
                  "httpMethod": "GET",
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                },
                "create": {
                  "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/entitlements",
                  "id": "privilegedaccessmanager.projects.locations.entitlements.create",
                  "parameterOrder": [
                    "parent"
                  ],
                  "httpMethod": "POST",
                  "response": {
                    "$ref": "Operation"
                  },
                  "parameters": {
                    "parent": {
                      "description": "Required. Name of the parent resource for the entitlement. Possible formats: * `organizations/{organization-number}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `projects/{project-id|project-number}/locations/{region}`",
                      "required": true,
                      "pattern": "^projects/[^/]+/locations/[^/]+$",
                      "location": "path",
                      "type": "string"
                    },
                    "entitlementId": {
                      "description": "Required. The ID to use for this entitlement. This becomes the last part of the resource name. This value should be 4-63 characters in length, and valid characters are \"[a-z]\", \"[0-9]\", and \"-\". The first character should be from [a-z]. This value should be unique among all other entitlements under the specified `parent`.",
                      "location": "query",
                      "type": "string"
                    },
                    "requestId": {
                      "location": "query",
                      "type": "string",
                      "description": "Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request and returns the previous operation's response. This prevents clients from accidentally creating duplicate entitlements. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000)."
                    }
                  },
                  "path": "v1/{+parent}/entitlements",
                  "description": "Creates a new entitlement in a given project, folder, organization, and in a given location.",
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ],
                  "request": {
                    "$ref": "Entitlement"
                  }
                },
                "delete": {
                  "response": {
                    "$ref": "Operation"
                  },
                  "path": "v1/{+name}",
                  "description": "Deletes a single entitlement. This method can only be called when there are no in-progress (`ACTIVE`/`ACTIVATING`/`REVOKING`) grants under the entitlement.",
                  "parameters": {
                    "name": {
                      "location": "path",
                      "type": "string",
                      "required": true,
                      "pattern": "^projects/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                      "description": "Required. Name of the resource."
                    },
                    "force": {
                      "description": "Optional. If set to true, any child grant under this entitlement is also deleted. (Otherwise, the request only works if the entitlement has no child grant.)",
                      "location": "query",
                      "type": "boolean"
                    },
                    "requestId": {
                      "description": "Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).",
                      "location": "query",
                      "type": "string"
                    }
                  },
                  "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/entitlements/{entitlementsId}",
                  "httpMethod": "DELETE",
                  "id": "privilegedaccessmanager.projects.locations.entitlements.delete",
                  "parameterOrder": [
                    "name"
                  ],
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                },
                "patch": {
                  "request": {
                    "$ref": "Entitlement"
                  },
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ],
                  "response": {
                    "$ref": "Operation"
                  },
                  "path": "v1/{+name}",
                  "description": "Updates the entitlement specified in the request. Updated fields in the entitlement need to be specified in an update mask. The changes made to an entitlement are applicable only on future grants of the entitlement. However, if new approvers are added or existing approvers are removed from the approval workflow, the changes are effective on existing grants. The following fields are not supported for updates: * All immutable fields * Entitlement name * Resource name * Resource type * Adding an approval workflow in an entitlement which previously had no approval workflow. * Deleting the approval workflow from an entitlement. * Adding or deleting a step in the approval workflow (only one step is supported) Note that updates are allowed on the list of approvers in an approval workflow step.",
                  "parameters": {
                    "updateMask": {
                      "description": "Required. The list of fields to update. A field is overwritten if, and only if, it is in the mask. Any immutable fields set in the mask are ignored by the server. Repeated fields and map fields are only allowed in the last position of a `paths` string and overwrite the existing values. Hence an update to a repeated field or a map should contain the entire list of values. The fields specified in the update_mask are relative to the resource and not to the request. (e.g. `MaxRequestDuration`; *not* `entitlement.MaxRequestDuration`) A value of '*' for this field refers to full replacement of the resource.",
                      "format": "google-fieldmask",
                      "location": "query",
                      "type": "string"
                    },
                    "name": {
                      "description": "Identifier. Name of the entitlement. Possible formats: * `organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}` * `folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}` * `projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}`",
                      "required": true,
                      "pattern": "^projects/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                      "location": "path",
                      "type": "string"
                    }
                  },
                  "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/entitlements/{entitlementsId}",
                  "httpMethod": "PATCH",
                  "id": "privilegedaccessmanager.projects.locations.entitlements.patch",
                  "parameterOrder": [
                    "name"
                  ]
                }
              },
              "resources": {
                "grants": {
                  "methods": {
                    "get": {
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ],
                      "httpMethod": "GET",
                      "id": "privilegedaccessmanager.projects.locations.entitlements.grants.get",
                      "parameterOrder": [
                        "name"
                      ],
                      "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants/{grantsId}",
                      "path": "v1/{+name}",
                      "description": "Get details of a single grant.",
                      "parameters": {
                        "name": {
                          "pattern": "^projects/[^/]+/locations/[^/]+/entitlements/[^/]+/grants/[^/]+$",
                          "required": true,
                          "description": "Required. Name of the resource.",
                          "location": "path",
                          "type": "string"
                        }
                      },
                      "response": {
                        "$ref": "Grant"
                      }
                    },
                    "create": {
                      "path": "v1/{+parent}/grants",
                      "description": "Creates a grant in a given project, folder, or organization and location.",
                      "parameters": {
                        "parent": {
                          "description": "Required. Name of the parent entitlement for which this grant is being requested.",
                          "pattern": "^projects/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                          "required": true,
                          "location": "path",
                          "type": "string"
                        },
                        "requestId": {
                          "location": "query",
                          "type": "string",
                          "description": "Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. This prevents clients from accidentally creating duplicate grants. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000)."
                        }
                      },
                      "response": {
                        "$ref": "Grant"
                      },
                      "httpMethod": "POST",
                      "id": "privilegedaccessmanager.projects.locations.entitlements.grants.create",
                      "parameterOrder": [
                        "parent"
                      ],
                      "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants",
                      "request": {
                        "$ref": "Grant"
                      },
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ]
                    },
                    "revoke": {
                      "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants/{grantsId}:revoke",
                      "id": "privilegedaccessmanager.projects.locations.entitlements.grants.revoke",
                      "parameterOrder": [
                        "name"
                      ],
                      "httpMethod": "POST",
                      "response": {
                        "$ref": "Operation"
                      },
                      "parameters": {
                        "name": {
                          "location": "path",
                          "type": "string",
                          "pattern": "^projects/[^/]+/locations/[^/]+/entitlements/[^/]+/grants/[^/]+$",
                          "required": true,
                          "description": "Required. Name of the grant resource which is being revoked."
                        }
                      },
                      "path": "v1/{+name}:revoke",
                      "description": "`RevokeGrant` is used to immediately revoke access for a grant. This method can be called when the grant is in a non-terminal state.",
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ],
                      "request": {
                        "$ref": "RevokeGrantRequest"
                      }
                    },
                    "list": {
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ],
                      "id": "privilegedaccessmanager.projects.locations.entitlements.grants.list",
                      "parameterOrder": [
                        "parent"
                      ],
                      "httpMethod": "GET",
                      "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants",
                      "parameters": {
                        "pageToken": {
                          "location": "query",
                          "type": "string",
                          "description": "Optional. A token identifying a page of results the server should return."
                        },
                        "orderBy": {
                          "location": "query",
                          "type": "string",
                          "description": "Optional. Hint for how to order the results"
                        },
                        "filter": {
                          "location": "query",
                          "type": "string",
                          "description": "Optional. Filtering results."
                        },
                        "pageSize": {
                          "description": "Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default.",
                          "format": "int32",
                          "location": "query",
                          "type": "integer"
                        },
                        "parent": {
                          "pattern": "^projects/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                          "required": true,
                          "description": "Required. The parent resource which owns the grants.",
                          "location": "path",
                          "type": "string"
                        }
                      },
                      "path": "v1/{+parent}/grants",
                      "description": "Lists grants for a given entitlement.",
                      "response": {
                        "$ref": "ListGrantsResponse"
                      }
                    },
                    "search": {
                      "response": {
                        "$ref": "SearchGrantsResponse"
                      },
                      "parameters": {
                        "filter": {
                          "description": "Optional. Only grants matching this filter are returned in the response.",
                          "location": "query",
                          "type": "string"
                        },
                        "pageToken": {
                          "description": "Optional. A token identifying a page of results the server should return.",
                          "location": "query",
                          "type": "string"
                        },
                        "parent": {
                          "location": "path",
                          "type": "string",
                          "description": "Required. The parent which owns the grant resources.",
                          "pattern": "^projects/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                          "required": true
                        },
                        "callerRelationship": {
                          "description": "Required. Only grants which the caller is related to by this relationship are returned in the response.",
                          "location": "query",
                          "type": "string",
                          "enum": [
                            "CALLER_RELATIONSHIP_TYPE_UNSPECIFIED",
                            "HAD_CREATED",
                            "CAN_APPROVE",
                            "HAD_APPROVED"
                          ],
                          "enumDescriptions": [
                            "Unspecified caller relationship type.",
                            "The user created this grant by calling `CreateGrant` earlier.",
                            "The user is an approver for the entitlement that this grant is parented under and can currently approve/deny it.",
                            "The caller had successfully approved/denied this grant earlier."
                          ]
                        },
                        "pageSize": {
                          "description": "Optional. Requested page size. The server may return fewer items than requested. If unspecified, server picks an appropriate default.",
                          "format": "int32",
                          "location": "query",
                          "type": "integer"
                        }
                      },
                      "path": "v1/{+parent}/grants:search",
                      "description": "`SearchGrants` returns grants that are related to the calling user in the specified way.",
                      "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants:search",
                      "id": "privilegedaccessmanager.projects.locations.entitlements.grants.search",
                      "parameterOrder": [
                        "parent"
                      ],
                      "httpMethod": "GET",
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ]
                    },
                    "deny": {
                      "response": {
                        "$ref": "Grant"
                      },
                      "parameters": {
                        "name": {
                          "description": "Required. Name of the grant resource which is being denied.",
                          "required": true,
                          "pattern": "^projects/[^/]+/locations/[^/]+/entitlements/[^/]+/grants/[^/]+$",
                          "location": "path",
                          "type": "string"
                        }
                      },
                      "path": "v1/{+name}:deny",
                      "description": "`DenyGrant` is used to deny a grant. This method can only be called on a grant when it's in the `APPROVAL_AWAITED` state. This operation can't be undone.",
                      "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants/{grantsId}:deny",
                      "id": "privilegedaccessmanager.projects.locations.entitlements.grants.deny",
                      "parameterOrder": [
                        "name"
                      ],
                      "httpMethod": "POST",
                      "request": {
                        "$ref": "DenyGrantRequest"
                      },
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ]
                    },
                    "approve": {
                      "request": {
                        "$ref": "ApproveGrantRequest"
                      },
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ],
                      "parameters": {
                        "name": {
                          "description": "Required. Name of the grant resource which is being approved.",
                          "pattern": "^projects/[^/]+/locations/[^/]+/entitlements/[^/]+/grants/[^/]+$",
                          "required": true,
                          "location": "path",
                          "type": "string"
                        }
                      },
                      "path": "v1/{+name}:approve",
                      "description": "`ApproveGrant` is used to approve a grant. This method can only be called on a grant when it's in the `APPROVAL_AWAITED` state. This operation can't be undone.",
                      "response": {
                        "$ref": "Grant"
                      },
                      "id": "privilegedaccessmanager.projects.locations.entitlements.grants.approve",
                      "parameterOrder": [
                        "name"
                      ],
                      "httpMethod": "POST",
                      "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants/{grantsId}:approve"
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "organizations": {
      "resources": {
        "locations": {
          "methods": {
            "checkOnboardingStatus": {
              "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}:checkOnboardingStatus",
              "id": "privilegedaccessmanager.organizations.locations.checkOnboardingStatus",
              "parameterOrder": [
                "parent"
              ],
              "httpMethod": "GET",
              "response": {
                "$ref": "CheckOnboardingStatusResponse"
              },
              "parameters": {
                "parent": {
                  "location": "path",
                  "type": "string",
                  "required": true,
                  "pattern": "^organizations/[^/]+/locations/[^/]+$",
                  "description": "Required. The resource for which the onboarding status should be checked. Should be in one of the following formats: * `projects/{project-number|project-id}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `organizations/{organization-number}/locations/{region}`"
                }
              },
              "path": "v1/{+parent}:checkOnboardingStatus",
              "description": "`CheckOnboardingStatus` reports the onboarding status for a project, folder, or organization. Any findings reported by this API need to be fixed before PAM can be used on the resource.",
              "scopes": [
                "https://www.googleapis.com/auth/cloud-platform"
              ]
            },
            "list": {
              "scopes": [
                "https://www.googleapis.com/auth/cloud-platform"
              ],
              "id": "privilegedaccessmanager.organizations.locations.list",
              "parameterOrder": [
                "name"
              ],
              "httpMethod": "GET",
              "flatPath": "v1/organizations/{organizationsId}/locations",
              "parameters": {
                "pageToken": {
                  "description": "A page token received from the `next_page_token` field in the response. Send that page token to receive the subsequent page.",
                  "location": "query",
                  "type": "string"
                },
                "filter": {
                  "location": "query",
                  "type": "string",
                  "description": "A filter to narrow down results to a preferred subset. The filtering language accepts strings like `\"displayName=tokyo\"`, and is documented in more detail in [AIP-160](https://google.aip.dev/160)."
                },
                "extraLocationTypes": {
                  "location": "query",
                  "repeated": true,
                  "type": "string",
                  "description": "Optional. Do not use this field unless explicitly documented otherwise. This is primarily for internal usage."
                },
                "pageSize": {
                  "description": "The maximum number of results to return. If not set, the service selects a default.",
                  "format": "int32",
                  "location": "query",
                  "type": "integer"
                },
                "name": {
                  "required": true,
                  "pattern": "^organizations/[^/]+$",
                  "description": "The resource that owns the locations collection, if applicable.",
                  "location": "path",
                  "type": "string"
                }
              },
              "path": "v1/{+name}/locations",
              "description": "Lists information about the supported locations for this service. This method lists locations based on the resource scope provided in the ListLocationsRequest.name field: * **Global locations**: If `name` is empty, the method lists the public locations available to all projects. * **Project-specific locations**: If `name` follows the format `projects/{project}`, the method lists locations visible to that specific project. This includes public, private, or other project-specific locations enabled for the project. For gRPC and client library implementations, the resource name is passed as the `name` field. For direct service calls, the resource name is incorporated into the request path based on the specific service implementation and version.",
              "response": {
                "$ref": "ListLocationsResponse"
              }
            },
            "get": {
              "scopes": [
                "https://www.googleapis.com/auth/cloud-platform"
              ],
              "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}",
              "id": "privilegedaccessmanager.organizations.locations.get",
              "parameterOrder": [
                "name"
              ],
              "httpMethod": "GET",
              "response": {
                "$ref": "Location"
              },
              "parameters": {
                "name": {
                  "location": "path",
                  "type": "string",
                  "pattern": "^organizations/[^/]+/locations/[^/]+$",
                  "required": true,
                  "description": "Resource name for the location."
                }
              },
              "path": "v1/{+name}",
              "description": "Gets information about a location."
            }
          },
          "resources": {
            "operations": {
              "methods": {
                "list": {
                  "response": {
                    "$ref": "ListOperationsResponse"
                  },
                  "path": "v1/{+name}/operations",
                  "description": "Lists operations that match the specified filter in the request. If the server doesn't support this method, it returns `UNIMPLEMENTED`.",
                  "parameters": {
                    "pageSize": {
                      "location": "query",
                      "type": "integer",
                      "description": "The standard list page size.",
                      "format": "int32"
                    },
                    "name": {
                      "required": true,
                      "pattern": "^organizations/[^/]+/locations/[^/]+$",
                      "description": "The name of the operation's parent resource.",
                      "location": "path",
                      "type": "string"
                    },
                    "pageToken": {
                      "description": "The standard list page token.",
                      "location": "query",
                      "type": "string"
                    },
                    "filter": {
                      "location": "query",
                      "type": "string",
                      "description": "The standard list filter."
                    },
                    "returnPartialSuccess": {
                      "description": "When set to `true`, operations that are reachable are returned as normal, and those that are unreachable are returned in the ListOperationsResponse.unreachable field. This can only be `true` when reading across collections. For example, when `parent` is set to `\"projects/example/locations/-\"`. This field is not supported by default and will result in an `UNIMPLEMENTED` error if set unless explicitly documented otherwise in service or product specific documentation.",
                      "location": "query",
                      "type": "boolean"
                    }
                  },
                  "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/operations",
                  "httpMethod": "GET",
                  "id": "privilegedaccessmanager.organizations.locations.operations.list",
                  "parameterOrder": [
                    "name"
                  ],
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                },
                "get": {
                  "response": {
                    "$ref": "Operation"
                  },
                  "parameters": {
                    "name": {
                      "description": "The name of the operation resource.",
                      "required": true,
                      "pattern": "^organizations/[^/]+/locations/[^/]+/operations/[^/]+$",
                      "location": "path",
                      "type": "string"
                    }
                  },
                  "path": "v1/{+name}",
                  "description": "Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.",
                  "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/operations/{operationsId}",
                  "id": "privilegedaccessmanager.organizations.locations.operations.get",
                  "parameterOrder": [
                    "name"
                  ],
                  "httpMethod": "GET",
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                },
                "delete": {
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ],
                  "id": "privilegedaccessmanager.organizations.locations.operations.delete",
                  "parameterOrder": [
                    "name"
                  ],
                  "httpMethod": "DELETE",
                  "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/operations/{operationsId}",
                  "parameters": {
                    "name": {
                      "location": "path",
                      "type": "string",
                      "pattern": "^organizations/[^/]+/locations/[^/]+/operations/[^/]+$",
                      "required": true,
                      "description": "The name of the operation resource to be deleted."
                    }
                  },
                  "path": "v1/{+name}",
                  "description": "Deletes a long-running operation. This method indicates that the client is no longer interested in the operation result. It does not cancel the operation. If the server doesn't support this method, it returns `google.rpc.Code.UNIMPLEMENTED`.",
                  "response": {
                    "$ref": "GoogleProtobufEmpty"
                  }
                }
              }
            },
            "entitlements": {
              "methods": {
                "get": {
                  "parameters": {
                    "name": {
                      "location": "path",
                      "type": "string",
                      "required": true,
                      "pattern": "^organizations/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                      "description": "Required. Name of the resource."
                    }
                  },
                  "path": "v1/{+name}",
                  "description": "Gets details of a single entitlement.",
                  "response": {
                    "$ref": "Entitlement"
                  },
                  "id": "privilegedaccessmanager.organizations.locations.entitlements.get",
                  "parameterOrder": [
                    "name"
                  ],
                  "httpMethod": "GET",
                  "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/entitlements/{entitlementsId}",
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                },
                "create": {
                  "id": "privilegedaccessmanager.organizations.locations.entitlements.create",
                  "parameterOrder": [
                    "parent"
                  ],
                  "httpMethod": "POST",
                  "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/entitlements",
                  "parameters": {
                    "parent": {
                      "location": "path",
                      "type": "string",
                      "description": "Required. Name of the parent resource for the entitlement. Possible formats: * `organizations/{organization-number}/locations/{region}` * `folders/{folder-number}/locations/{region}` * `projects/{project-id|project-number}/locations/{region}`",
                      "pattern": "^organizations/[^/]+/locations/[^/]+$",
                      "required": true
                    },
                    "entitlementId": {
                      "location": "query",
                      "type": "string",
                      "description": "Required. The ID to use for this entitlement. This becomes the last part of the resource name. This value should be 4-63 characters in length, and valid characters are \"[a-z]\", \"[0-9]\", and \"-\". The first character should be from [a-z]. This value should be unique among all other entitlements under the specified `parent`."
                    },
                    "requestId": {
                      "location": "query",
                      "type": "string",
                      "description": "Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request and returns the previous operation's response. This prevents clients from accidentally creating duplicate entitlements. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000)."
                    }
                  },
                  "path": "v1/{+parent}/entitlements",
                  "description": "Creates a new entitlement in a given project, folder, organization, and in a given location.",
                  "response": {
                    "$ref": "Operation"
                  },
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ],
                  "request": {
                    "$ref": "Entitlement"
                  }
                },
                "delete": {
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ],
                  "path": "v1/{+name}",
                  "description": "Deletes a single entitlement. This method can only be called when there are no in-progress (`ACTIVE`/`ACTIVATING`/`REVOKING`) grants under the entitlement.",
                  "parameters": {
                    "name": {
                      "pattern": "^organizations/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                      "required": true,
                      "description": "Required. Name of the resource.",
                      "location": "path",
                      "type": "string"
                    },
                    "force": {
                      "location": "query",
                      "type": "boolean",
                      "description": "Optional. If set to true, any child grant under this entitlement is also deleted. (Otherwise, the request only works if the entitlement has no child grant.)"
                    },
                    "requestId": {
                      "description": "Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).",
                      "location": "query",
                      "type": "string"
                    }
                  },
                  "response": {
                    "$ref": "Operation"
                  },
                  "httpMethod": "DELETE",
                  "id": "privilegedaccessmanager.organizations.locations.entitlements.delete",
                  "parameterOrder": [
                    "name"
                  ],
                  "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/entitlements/{entitlementsId}"
                },
                "patch": {
                  "request": {
                    "$ref": "Entitlement"
                  },
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ],
                  "response": {
                    "$ref": "Operation"
                  },
                  "parameters": {
                    "updateMask": {
                      "description": "Required. The list of fields to update. A field is overwritten if, and only if, it is in the mask. Any immutable fields set in the mask are ignored by the server. Repeated fields and map fields are only allowed in the last position of a `paths` string and overwrite the existing values. Hence an update to a repeated field or a map should contain the entire list of values. The fields specified in the update_mask are relative to the resource and not to the request. (e.g. `MaxRequestDuration`; *not* `entitlement.MaxRequestDuration`) A value of '*' for this field refers to full replacement of the resource.",
                      "format": "google-fieldmask",
                      "location": "query",
                      "type": "string"
                    },
                    "name": {
                      "description": "Identifier. Name of the entitlement. Possible formats: * `organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}` * `folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}` * `projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}`",
                      "required": true,
                      "pattern": "^organizations/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                      "location": "path",
                      "type": "string"
                    }
                  },
                  "path": "v1/{+name}",
                  "description": "Updates the entitlement specified in the request. Updated fields in the entitlement need to be specified in an update mask. The changes made to an entitlement are applicable only on future grants of the entitlement. However, if new approvers are added or existing approvers are removed from the approval workflow, the changes are effective on existing grants. The following fields are not supported for updates: * All immutable fields * Entitlement name * Resource name * Resource type * Adding an approval workflow in an entitlement which previously had no approval workflow. * Deleting the approval workflow from an entitlement. * Adding or deleting a step in the approval workflow (only one step is supported) Note that updates are allowed on the list of approvers in an approval workflow step.",
                  "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/entitlements/{entitlementsId}",
                  "id": "privilegedaccessmanager.organizations.locations.entitlements.patch",
                  "parameterOrder": [
                    "name"
                  ],
                  "httpMethod": "PATCH"
                },
                "search": {
                  "response": {
                    "$ref": "SearchEntitlementsResponse"
                  },
                  "parameters": {
                    "filter": {
                      "description": "Optional. Only entitlements matching this filter are returned in the response.",
                      "location": "query",
                      "type": "string"
                    },
                    "pageToken": {
                      "location": "query",
                      "type": "string",
                      "description": "Optional. A token identifying a page of results the server should return."
                    },
                    "parent": {
                      "description": "Required. The parent which owns the entitlement resources.",
                      "required": true,
                      "pattern": "^organizations/[^/]+/locations/[^/]+$",
                      "location": "path",
                      "type": "string"
                    },
                    "callerAccessType": {
                      "description": "Required. Only entitlements where the calling user has this access are returned.",
                      "enumDescriptions": [
                        "Unspecified access type.",
                        "The user has access to create grants using this entitlement.",
                        "The user has access to approve/deny grants created under this entitlement."
                      ],
                      "location": "query",
                      "type": "string",
                      "enum": [
                        "CALLER_ACCESS_TYPE_UNSPECIFIED",
                        "GRANT_REQUESTER",
                        "GRANT_APPROVER"
                      ]
                    },
                    "pageSize": {
                      "location": "query",
                      "type": "integer",
                      "description": "Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default.",
                      "format": "int32"
                    }
                  },
                  "path": "v1/{+parent}/entitlements:search",
                  "description": "`SearchEntitlements` returns entitlements on which the caller has the specified access.",
                  "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/entitlements:search",
                  "id": "privilegedaccessmanager.organizations.locations.entitlements.search",
                  "parameterOrder": [
                    "parent"
                  ],
                  "httpMethod": "GET",
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                },
                "list": {
                  "response": {
                    "$ref": "ListEntitlementsResponse"
                  },
                  "path": "v1/{+parent}/entitlements",
                  "description": "Lists the entitlements in a given project, folder, organization, and in a given location.",
                  "parameters": {
                    "parent": {
                      "location": "path",
                      "type": "string",
                      "description": "Required. The parent which owns the entitlement resources.",
                      "pattern": "^organizations/[^/]+/locations/[^/]+$",
                      "required": true
                    },
                    "pageSize": {
                      "description": "Optional. Requested page size. Server may return fewer items than requested. If unspecified, the server picks an appropriate default.",
                      "format": "int32",
                      "location": "query",
                      "type": "integer"
                    },
                    "filter": {
                      "location": "query",
                      "type": "string",
                      "description": "Optional. Filtering results."
                    },
                    "pageToken": {
                      "location": "query",
                      "type": "string",
                      "description": "Optional. A token identifying a page of results the server should return."
                    },
                    "orderBy": {
                      "description": "Optional. Hint for how to order the results.",
                      "location": "query",
                      "type": "string"
                    }
                  },
                  "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/entitlements",
                  "httpMethod": "GET",
                  "id": "privilegedaccessmanager.organizations.locations.entitlements.list",
                  "parameterOrder": [
                    "parent"
                  ],
                  "scopes": [
                    "https://www.googleapis.com/auth/cloud-platform"
                  ]
                }
              },
              "resources": {
                "grants": {
                  "methods": {
                    "get": {
                      "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants/{grantsId}",
                      "httpMethod": "GET",
                      "id": "privilegedaccessmanager.organizations.locations.entitlements.grants.get",
                      "parameterOrder": [
                        "name"
                      ],
                      "response": {
                        "$ref": "Grant"
                      },
                      "path": "v1/{+name}",
                      "description": "Get details of a single grant.",
                      "parameters": {
                        "name": {
                          "location": "path",
                          "type": "string",
                          "required": true,
                          "pattern": "^organizations/[^/]+/locations/[^/]+/entitlements/[^/]+/grants/[^/]+$",
                          "description": "Required. Name of the resource."
                        }
                      },
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ]
                    },
                    "create": {
                      "request": {
                        "$ref": "Grant"
                      },
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ],
                      "parameters": {
                        "parent": {
                          "pattern": "^organizations/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                          "required": true,
                          "description": "Required. Name of the parent entitlement for which this grant is being requested.",
                          "location": "path",
                          "type": "string"
                        },
                        "requestId": {
                          "description": "Optional. An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server knows to ignore the request if it has already been completed. The server guarantees this for at least 60 minutes after the first request. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, ignores the second request. This prevents clients from accidentally creating duplicate grants. The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).",
                          "location": "query",
                          "type": "string"
                        }
                      },
                      "path": "v1/{+parent}/grants",
                      "description": "Creates a grant in a given project, folder, or organization and location.",
                      "response": {
                        "$ref": "Grant"
                      },
                      "id": "privilegedaccessmanager.organizations.locations.entitlements.grants.create",
                      "parameterOrder": [
                        "parent"
                      ],
                      "httpMethod": "POST",
                      "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants"
                    },
                    "revoke": {
                      "parameters": {
                        "name": {
                          "location": "path",
                          "type": "string",
                          "description": "Required. Name of the grant resource which is being revoked.",
                          "required": true,
                          "pattern": "^organizations/[^/]+/locations/[^/]+/entitlements/[^/]+/grants/[^/]+$"
                        }
                      },
                      "path": "v1/{+name}:revoke",
                      "description": "`RevokeGrant` is used to immediately revoke access for a grant. This method can be called when the grant is in a non-terminal state.",
                      "response": {
                        "$ref": "Operation"
                      },
                      "id": "privilegedaccessmanager.organizations.locations.entitlements.grants.revoke",
                      "parameterOrder": [
                        "name"
                      ],
                      "httpMethod": "POST",
                      "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants/{grantsId}:revoke",
                      "request": {
                        "$ref": "RevokeGrantRequest"
                      },
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ]
                    },
                    "list": {
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ],
                      "parameters": {
                        "pageSize": {
                          "location": "query",
                          "type": "integer",
                          "description": "Optional. Requested page size. The server may return fewer items than requested. If unspecified, the server picks an appropriate default.",
                          "format": "int32"
                        },
                        "parent": {
                          "description": "Required. The parent resource which owns the grants.",
                          "pattern": "^organizations/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                          "required": true,
                          "location": "path",
                          "type": "string"
                        },
                        "pageToken": {
                          "description": "Optional. A token identifying a page of results the server should return.",
                          "location": "query",
                          "type": "string"
                        },
                        "orderBy": {
                          "description": "Optional. Hint for how to order the results",
                          "location": "query",
                          "type": "string"
                        },
                        "filter": {
                          "description": "Optional. Filtering results.",
                          "location": "query",
                          "type": "string"
                        }
                      },
                      "path": "v1/{+parent}/grants",
                      "description": "Lists grants for a given entitlement.",
                      "response": {
                        "$ref": "ListGrantsResponse"
                      },
                      "id": "privilegedaccessmanager.organizations.locations.entitlements.grants.list",
                      "parameterOrder": [
                        "parent"
                      ],
                      "httpMethod": "GET",
                      "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants"
                    },
                    "approve": {
                      "path": "v1/{+name}:approve",
                      "description": "`ApproveGrant` is used to approve a grant. This method can only be called on a grant when it's in the `APPROVAL_AWAITED` state. This operation can't be undone.",
                      "parameters": {
                        "name": {
                          "pattern": "^organizations/[^/]+/locations/[^/]+/entitlements/[^/]+/grants/[^/]+$",
                          "required": true,
                          "description": "Required. Name of the grant resource which is being approved.",
                          "location": "path",
                          "type": "string"
                        }
                      },
                      "response": {
                        "$ref": "Grant"
                      },
                      "httpMethod": "POST",
                      "id": "privilegedaccessmanager.organizations.locations.entitlements.grants.approve",
                      "parameterOrder": [
                        "name"
                      ],
                      "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants/{grantsId}:approve",
                      "request": {
                        "$ref": "ApproveGrantRequest"
                      },
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ]
                    },
                    "search": {
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ],
                      "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants:search",
                      "id": "privilegedaccessmanager.organizations.locations.entitlements.grants.search",
                      "parameterOrder": [
                        "parent"
                      ],
                      "httpMethod": "GET",
                      "response": {
                        "$ref": "SearchGrantsResponse"
                      },
                      "parameters": {
                        "filter": {
                          "description": "Optional. Only grants matching this filter are returned in the response.",
                          "location": "query",
                          "type": "string"
                        },
                        "pageToken": {
                          "description": "Optional. A token identifying a page of results the server should return.",
                          "location": "query",
                          "type": "string"
                        },
                        "parent": {
                          "location": "path",
                          "type": "string",
                          "pattern": "^organizations/[^/]+/locations/[^/]+/entitlements/[^/]+$",
                          "required": true,
                          "description": "Required. The parent which owns the grant resources."
                        },
                        "callerRelationship": {
                          "location": "query",
                          "type": "string",
                          "enum": [
                            "CALLER_RELATIONSHIP_TYPE_UNSPECIFIED",
                            "HAD_CREATED",
                            "CAN_APPROVE",
                            "HAD_APPROVED"
                          ],
                          "enumDescriptions": [
                            "Unspecified caller relationship type.",
                            "The user created this grant by calling `CreateGrant` earlier.",
                            "The user is an approver for the entitlement that this grant is parented under and can currently approve/deny it.",
                            "The caller had successfully approved/denied this grant earlier."
                          ],
                          "description": "Required. Only grants which the caller is related to by this relationship are returned in the response."
                        },
                        "pageSize": {
                          "location": "query",
                          "type": "integer",
                          "description": "Optional. Requested page size. The server may return fewer items than requested. If unspecified, server picks an appropriate default.",
                          "format": "int32"
                        }
                      },
                      "path": "v1/{+parent}/grants:search",
                      "description": "`SearchGrants` returns grants that are related to the calling user in the specified way."
                    },
                    "deny": {
                      "flatPath": "v1/organizations/{organizationsId}/locations/{locationsId}/entitlements/{entitlementsId}/grants/{grantsId}:deny",
                      "httpMethod": "POST",
                      "id": "privilegedaccessmanager.organizations.locations.entitlements.grants.deny",
                      "parameterOrder": [
                        "name"
                      ],
                      "response": {
                        "$ref": "Grant"
                      },
                      "path": "v1/{+name}:deny",
                      "description": "`DenyGrant` is used to deny a grant. This method can only be called on a grant when it's in the `APPROVAL_AWAITED` state. This operation can't be undone.",
                      "parameters": {
                        "name": {
                          "location": "path",
                          "type": "string",
                          "required": true,
                          "pattern": "^organizations/[^/]+/locations/[^/]+/entitlements/[^/]+/grants/[^/]+$",
                          "description": "Required. Name of the grant resource which is being denied."
                        }
                      },
                      "scopes": [
                        "https://www.googleapis.com/auth/cloud-platform"
                      ],
                      "request": {
                        "$ref": "DenyGrantRequest"
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "servicePath": "",
  "basePath": ""
}
