1<html><body> 2<style> 3 4body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13} 14 15body { 16 font-size: 13px; 17 padding: 1em; 18} 19 20h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23} 24 25h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28} 29 30h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34} 35 36pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39} 40 41pre { 42 margin-top: 0.5em; 43} 44 45h1, h2, h3, p { 46 font-family: Arial, sans serif; 47} 48 49h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51} 52 53.toc_element { 54 margin-top: 0.5em; 55} 56 57.firstline { 58 margin-left: 2 em; 59} 60 61.method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66} 67 68.details { 69 font-weight: bold; 70 font-size: 14px; 71} 72 73</style> 74 75<h1><a href="dlp_v2.html">Cloud Data Loss Prevention (DLP) API</a> . <a href="dlp_v2.projects.html">projects</a> . <a href="dlp_v2.projects.locations.html">locations</a> . <a href="dlp_v2.projects.locations.content.html">content</a></h1> 76<h2>Instance Methods</h2> 77<p class="toc_element"> 78 <code><a href="#close">close()</a></code></p> 79<p class="firstline">Close httplib2 connections.</p> 80<p class="toc_element"> 81 <code><a href="#deidentify">deidentify(parent, body=None, x__xgafv=None)</a></code></p> 82<p class="firstline">De-identifies potentially sensitive info from a ContentItem. This method has limits on input size and output size. See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to learn more. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.</p> 83<p class="toc_element"> 84 <code><a href="#inspect">inspect(parent, body=None, x__xgafv=None)</a></code></p> 85<p class="firstline">Finds potentially sensitive info in content. This method has limits on input size, processing time, and output size. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. For how to guides, see https://cloud.google.com/dlp/docs/inspecting-images and https://cloud.google.com/dlp/docs/inspecting-text,</p> 86<p class="toc_element"> 87 <code><a href="#reidentify">reidentify(parent, body=None, x__xgafv=None)</a></code></p> 88<p class="firstline">Re-identifies content that has been de-identified. See https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example to learn more.</p> 89<h3>Method Details</h3> 90<div class="method"> 91 <code class="details" id="close">close()</code> 92 <pre>Close httplib2 connections.</pre> 93</div> 94 95<div class="method"> 96 <code class="details" id="deidentify">deidentify(parent, body=None, x__xgafv=None)</code> 97 <pre>De-identifies potentially sensitive info from a ContentItem. This method has limits on input size and output size. See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to learn more. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. 98 99Args: 100 parent: string, Parent resource name. The format of this value varies depending on whether you have [specified a processing location](https://cloud.google.com/dlp/docs/specifying-location): + Projects scope, location specified: `projects/`PROJECT_ID`/locations/`LOCATION_ID + Projects scope, no location specified (defaults to global): `projects/`PROJECT_ID The following example `parent` string specifies a parent project with the identifier `example-project`, and specifies the `europe-west3` location for processing data: parent=projects/example-project/locations/europe-west3 (required) 101 body: object, The request body. 102 The object takes the form of: 103 104{ # Request to de-identify a list of items. 105 "deidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the de-identification of the content item. Items specified here will override the template referenced by the deidentify_template_name argument. 106 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere. 107 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType. 108 { # A transformation to apply to text that is identified as a specific info_type. 109 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`. 110 { # Type of information detected by the API. 111 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 112 "version": "A String", # Optional version name for this InfoType. 113 }, 114 ], 115 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. 116 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing 117 "buckets": [ # Set of buckets. Ranges must be non-overlapping. 118 { # Bucket is represented as a range, along with replacement values. 119 "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min. 120 "booleanValue": True or False, # boolean 121 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 122 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 123 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 124 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 125 }, 126 "dayOfWeekValue": "A String", # day of week 127 "floatValue": 3.14, # float 128 "integerValue": "A String", # integer 129 "stringValue": "A String", # string 130 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 131 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 132 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 133 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 134 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 135 }, 136 "timestampValue": "A String", # timestamp 137 }, 138 "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used. 139 "booleanValue": True or False, # boolean 140 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 141 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 142 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 143 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 144 }, 145 "dayOfWeekValue": "A String", # day of week 146 "floatValue": 3.14, # float 147 "integerValue": "A String", # integer 148 "stringValue": "A String", # string 149 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 150 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 151 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 152 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 153 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 154 }, 155 "timestampValue": "A String", # timestamp 156 }, 157 "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket. 158 "booleanValue": True or False, # boolean 159 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 160 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 161 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 162 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 163 }, 164 "dayOfWeekValue": "A String", # day of week 165 "floatValue": 3.14, # float 166 "integerValue": "A String", # integer 167 "stringValue": "A String", # string 168 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 169 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 170 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 171 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 172 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 173 }, 174 "timestampValue": "A String", # timestamp 175 }, 176 }, 177 ], 178 }, 179 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask 180 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. 181 { # Characters to skip when doing deidentification of a value. These will be left alone and skipped. 182 "charactersToSkip": "A String", # Characters to not transform when masking. 183 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation. 184 }, 185 ], 186 "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. 187 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. 188 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. 189 }, 190 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto 191 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. 192 "name": "A String", # Name describing the field. 193 }, 194 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. 195 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 196 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 197 "wrappedKey": "A String", # Required. The wrapped data crypto key. 198 }, 199 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 200 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 201 }, 202 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 203 "key": "A String", # Required. A 128/192/256 bit key. 204 }, 205 }, 206 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. 207 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 208 "version": "A String", # Optional version name for this InfoType. 209 }, 210 }, 211 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto 212 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function. 213 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 214 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 215 "wrappedKey": "A String", # Required. The wrapped data crypto key. 216 }, 217 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 218 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 219 }, 220 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 221 "key": "A String", # Required. A 128/192/256 bit key. 222 }, 223 }, 224 }, 225 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe 226 "commonAlphabet": "A String", # Common alphabets. 227 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 228 "name": "A String", # Name describing the field. 229 }, 230 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm. 231 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 232 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 233 "wrappedKey": "A String", # Required. The wrapped data crypto key. 234 }, 235 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 236 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 237 }, 238 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 239 "key": "A String", # Required. A 128/192/256 bit key. 240 }, 241 }, 242 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/ 243 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. 244 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE 245 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 246 "version": "A String", # Optional version name for this InfoType. 247 }, 248 }, 249 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift 250 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. 251 "name": "A String", # Name describing the field. 252 }, 253 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. 254 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 255 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 256 "wrappedKey": "A String", # Required. The wrapped data crypto key. 257 }, 258 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 259 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 260 }, 261 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 262 "key": "A String", # Required. A 128/192/256 bit key. 263 }, 264 }, 265 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. 266 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. 267 }, 268 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing 269 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. 270 "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". 271 "booleanValue": True or False, # boolean 272 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 273 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 274 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 275 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 276 }, 277 "dayOfWeekValue": "A String", # day of week 278 "floatValue": 3.14, # float 279 "integerValue": "A String", # integer 280 "stringValue": "A String", # string 281 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 282 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 283 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 284 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 285 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 286 }, 287 "timestampValue": "A String", # timestamp 288 }, 289 "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". 290 "booleanValue": True or False, # boolean 291 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 292 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 293 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 294 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 295 }, 296 "dayOfWeekValue": "A String", # day of week 297 "floatValue": 3.14, # float 298 "integerValue": "A String", # integer 299 "stringValue": "A String", # string 300 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 301 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 302 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 303 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 304 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 305 }, 306 "timestampValue": "A String", # timestamp 307 }, 308 }, 309 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact 310 }, 311 "replaceConfig": { # Replace each input value with a given `Value`. # Replace with a specified value. 312 "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with. 313 "booleanValue": True or False, # boolean 314 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 315 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 316 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 317 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 318 }, 319 "dayOfWeekValue": "A String", # day of week 320 "floatValue": 3.14, # float 321 "integerValue": "A String", # integer 322 "stringValue": "A String", # string 323 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 324 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 325 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 326 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 327 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 328 }, 329 "timestampValue": "A String", # timestamp 330 }, 331 }, 332 "replaceDictionaryConfig": { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary. 333 "wordList": { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. 334 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 335 "A String", 336 ], 337 }, 338 }, 339 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype 340 }, 341 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction 342 "partToExtract": "A String", # The part of the time to keep. 343 }, 344 }, 345 }, 346 ], 347 }, 348 "recordTransformations": { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table. 349 "fieldTransformations": [ # Transform the record by applying various field transformations. 350 { # The transformation to apply to the field. 351 "condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85. 352 "expressions": { # An expression, consisting or an operator and conditions. # An expression. 353 "conditions": { # A collection of conditions. # Conditions to apply to the expression. 354 "conditions": [ # A collection of conditions. 355 { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false. 356 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. 357 "name": "A String", # Name describing the field. 358 }, 359 "operator": "A String", # Required. Operator used to compare the field or infoType to the value. 360 "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.] 361 "booleanValue": True or False, # boolean 362 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 363 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 364 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 365 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 366 }, 367 "dayOfWeekValue": "A String", # day of week 368 "floatValue": 3.14, # float 369 "integerValue": "A String", # integer 370 "stringValue": "A String", # string 371 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 372 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 373 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 374 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 375 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 376 }, 377 "timestampValue": "A String", # timestamp 378 }, 379 }, 380 ], 381 }, 382 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`. 383 }, 384 }, 385 "fields": [ # Required. Input field(s) to apply the transformation to. When you have columns that reference their position within a list, omit the index from the FieldId. FieldId name matching ignores the index. For example, instead of "contact.nums[0].type", use "contact.nums.type". 386 { # General identifier of a data field in a storage service. 387 "name": "A String", # Name describing the field. 388 }, 389 ], 390 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`. 391 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType. 392 { # A transformation to apply to text that is identified as a specific info_type. 393 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`. 394 { # Type of information detected by the API. 395 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 396 "version": "A String", # Optional version name for this InfoType. 397 }, 398 ], 399 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. 400 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing 401 "buckets": [ # Set of buckets. Ranges must be non-overlapping. 402 { # Bucket is represented as a range, along with replacement values. 403 "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min. 404 "booleanValue": True or False, # boolean 405 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 406 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 407 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 408 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 409 }, 410 "dayOfWeekValue": "A String", # day of week 411 "floatValue": 3.14, # float 412 "integerValue": "A String", # integer 413 "stringValue": "A String", # string 414 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 415 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 416 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 417 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 418 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 419 }, 420 "timestampValue": "A String", # timestamp 421 }, 422 "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used. 423 "booleanValue": True or False, # boolean 424 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 425 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 426 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 427 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 428 }, 429 "dayOfWeekValue": "A String", # day of week 430 "floatValue": 3.14, # float 431 "integerValue": "A String", # integer 432 "stringValue": "A String", # string 433 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 434 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 435 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 436 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 437 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 438 }, 439 "timestampValue": "A String", # timestamp 440 }, 441 "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket. 442 "booleanValue": True or False, # boolean 443 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 444 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 445 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 446 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 447 }, 448 "dayOfWeekValue": "A String", # day of week 449 "floatValue": 3.14, # float 450 "integerValue": "A String", # integer 451 "stringValue": "A String", # string 452 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 453 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 454 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 455 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 456 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 457 }, 458 "timestampValue": "A String", # timestamp 459 }, 460 }, 461 ], 462 }, 463 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask 464 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. 465 { # Characters to skip when doing deidentification of a value. These will be left alone and skipped. 466 "charactersToSkip": "A String", # Characters to not transform when masking. 467 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation. 468 }, 469 ], 470 "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. 471 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. 472 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. 473 }, 474 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto 475 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. 476 "name": "A String", # Name describing the field. 477 }, 478 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. 479 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 480 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 481 "wrappedKey": "A String", # Required. The wrapped data crypto key. 482 }, 483 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 484 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 485 }, 486 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 487 "key": "A String", # Required. A 128/192/256 bit key. 488 }, 489 }, 490 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. 491 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 492 "version": "A String", # Optional version name for this InfoType. 493 }, 494 }, 495 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto 496 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function. 497 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 498 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 499 "wrappedKey": "A String", # Required. The wrapped data crypto key. 500 }, 501 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 502 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 503 }, 504 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 505 "key": "A String", # Required. A 128/192/256 bit key. 506 }, 507 }, 508 }, 509 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe 510 "commonAlphabet": "A String", # Common alphabets. 511 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 512 "name": "A String", # Name describing the field. 513 }, 514 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm. 515 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 516 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 517 "wrappedKey": "A String", # Required. The wrapped data crypto key. 518 }, 519 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 520 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 521 }, 522 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 523 "key": "A String", # Required. A 128/192/256 bit key. 524 }, 525 }, 526 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/ 527 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. 528 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE 529 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 530 "version": "A String", # Optional version name for this InfoType. 531 }, 532 }, 533 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift 534 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. 535 "name": "A String", # Name describing the field. 536 }, 537 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. 538 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 539 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 540 "wrappedKey": "A String", # Required. The wrapped data crypto key. 541 }, 542 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 543 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 544 }, 545 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 546 "key": "A String", # Required. A 128/192/256 bit key. 547 }, 548 }, 549 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. 550 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. 551 }, 552 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing 553 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. 554 "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". 555 "booleanValue": True or False, # boolean 556 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 557 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 558 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 559 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 560 }, 561 "dayOfWeekValue": "A String", # day of week 562 "floatValue": 3.14, # float 563 "integerValue": "A String", # integer 564 "stringValue": "A String", # string 565 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 566 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 567 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 568 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 569 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 570 }, 571 "timestampValue": "A String", # timestamp 572 }, 573 "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". 574 "booleanValue": True or False, # boolean 575 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 576 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 577 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 578 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 579 }, 580 "dayOfWeekValue": "A String", # day of week 581 "floatValue": 3.14, # float 582 "integerValue": "A String", # integer 583 "stringValue": "A String", # string 584 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 585 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 586 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 587 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 588 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 589 }, 590 "timestampValue": "A String", # timestamp 591 }, 592 }, 593 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact 594 }, 595 "replaceConfig": { # Replace each input value with a given `Value`. # Replace with a specified value. 596 "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with. 597 "booleanValue": True or False, # boolean 598 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 599 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 600 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 601 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 602 }, 603 "dayOfWeekValue": "A String", # day of week 604 "floatValue": 3.14, # float 605 "integerValue": "A String", # integer 606 "stringValue": "A String", # string 607 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 608 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 609 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 610 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 611 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 612 }, 613 "timestampValue": "A String", # timestamp 614 }, 615 }, 616 "replaceDictionaryConfig": { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary. 617 "wordList": { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. 618 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 619 "A String", 620 ], 621 }, 622 }, 623 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype 624 }, 625 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction 626 "partToExtract": "A String", # The part of the time to keep. 627 }, 628 }, 629 }, 630 ], 631 }, 632 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. 633 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing 634 "buckets": [ # Set of buckets. Ranges must be non-overlapping. 635 { # Bucket is represented as a range, along with replacement values. 636 "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min. 637 "booleanValue": True or False, # boolean 638 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 639 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 640 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 641 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 642 }, 643 "dayOfWeekValue": "A String", # day of week 644 "floatValue": 3.14, # float 645 "integerValue": "A String", # integer 646 "stringValue": "A String", # string 647 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 648 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 649 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 650 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 651 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 652 }, 653 "timestampValue": "A String", # timestamp 654 }, 655 "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used. 656 "booleanValue": True or False, # boolean 657 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 658 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 659 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 660 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 661 }, 662 "dayOfWeekValue": "A String", # day of week 663 "floatValue": 3.14, # float 664 "integerValue": "A String", # integer 665 "stringValue": "A String", # string 666 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 667 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 668 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 669 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 670 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 671 }, 672 "timestampValue": "A String", # timestamp 673 }, 674 "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket. 675 "booleanValue": True or False, # boolean 676 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 677 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 678 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 679 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 680 }, 681 "dayOfWeekValue": "A String", # day of week 682 "floatValue": 3.14, # float 683 "integerValue": "A String", # integer 684 "stringValue": "A String", # string 685 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 686 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 687 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 688 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 689 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 690 }, 691 "timestampValue": "A String", # timestamp 692 }, 693 }, 694 ], 695 }, 696 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask 697 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. 698 { # Characters to skip when doing deidentification of a value. These will be left alone and skipped. 699 "charactersToSkip": "A String", # Characters to not transform when masking. 700 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation. 701 }, 702 ], 703 "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. 704 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. 705 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. 706 }, 707 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto 708 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. 709 "name": "A String", # Name describing the field. 710 }, 711 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. 712 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 713 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 714 "wrappedKey": "A String", # Required. The wrapped data crypto key. 715 }, 716 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 717 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 718 }, 719 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 720 "key": "A String", # Required. A 128/192/256 bit key. 721 }, 722 }, 723 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. 724 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 725 "version": "A String", # Optional version name for this InfoType. 726 }, 727 }, 728 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto 729 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function. 730 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 731 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 732 "wrappedKey": "A String", # Required. The wrapped data crypto key. 733 }, 734 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 735 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 736 }, 737 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 738 "key": "A String", # Required. A 128/192/256 bit key. 739 }, 740 }, 741 }, 742 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe 743 "commonAlphabet": "A String", # Common alphabets. 744 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 745 "name": "A String", # Name describing the field. 746 }, 747 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm. 748 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 749 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 750 "wrappedKey": "A String", # Required. The wrapped data crypto key. 751 }, 752 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 753 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 754 }, 755 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 756 "key": "A String", # Required. A 128/192/256 bit key. 757 }, 758 }, 759 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/ 760 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. 761 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE 762 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 763 "version": "A String", # Optional version name for this InfoType. 764 }, 765 }, 766 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift 767 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. 768 "name": "A String", # Name describing the field. 769 }, 770 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. 771 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 772 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 773 "wrappedKey": "A String", # Required. The wrapped data crypto key. 774 }, 775 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 776 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 777 }, 778 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 779 "key": "A String", # Required. A 128/192/256 bit key. 780 }, 781 }, 782 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. 783 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. 784 }, 785 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing 786 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. 787 "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". 788 "booleanValue": True or False, # boolean 789 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 790 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 791 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 792 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 793 }, 794 "dayOfWeekValue": "A String", # day of week 795 "floatValue": 3.14, # float 796 "integerValue": "A String", # integer 797 "stringValue": "A String", # string 798 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 799 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 800 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 801 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 802 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 803 }, 804 "timestampValue": "A String", # timestamp 805 }, 806 "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". 807 "booleanValue": True or False, # boolean 808 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 809 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 810 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 811 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 812 }, 813 "dayOfWeekValue": "A String", # day of week 814 "floatValue": 3.14, # float 815 "integerValue": "A String", # integer 816 "stringValue": "A String", # string 817 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 818 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 819 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 820 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 821 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 822 }, 823 "timestampValue": "A String", # timestamp 824 }, 825 }, 826 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact 827 }, 828 "replaceConfig": { # Replace each input value with a given `Value`. # Replace with a specified value. 829 "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with. 830 "booleanValue": True or False, # boolean 831 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 832 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 833 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 834 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 835 }, 836 "dayOfWeekValue": "A String", # day of week 837 "floatValue": 3.14, # float 838 "integerValue": "A String", # integer 839 "stringValue": "A String", # string 840 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 841 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 842 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 843 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 844 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 845 }, 846 "timestampValue": "A String", # timestamp 847 }, 848 }, 849 "replaceDictionaryConfig": { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary. 850 "wordList": { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. 851 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 852 "A String", 853 ], 854 }, 855 }, 856 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype 857 }, 858 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction 859 "partToExtract": "A String", # The part of the time to keep. 860 }, 861 }, 862 }, 863 ], 864 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output. 865 { # Configuration to suppress records whose suppression conditions evaluate to true. 866 "condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content. 867 "expressions": { # An expression, consisting or an operator and conditions. # An expression. 868 "conditions": { # A collection of conditions. # Conditions to apply to the expression. 869 "conditions": [ # A collection of conditions. 870 { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false. 871 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. 872 "name": "A String", # Name describing the field. 873 }, 874 "operator": "A String", # Required. Operator used to compare the field or infoType to the value. 875 "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.] 876 "booleanValue": True or False, # boolean 877 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 878 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 879 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 880 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 881 }, 882 "dayOfWeekValue": "A String", # day of week 883 "floatValue": 3.14, # float 884 "integerValue": "A String", # integer 885 "stringValue": "A String", # string 886 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 887 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 888 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 889 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 890 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 891 }, 892 "timestampValue": "A String", # timestamp 893 }, 894 }, 895 ], 896 }, 897 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`. 898 }, 899 }, 900 }, 901 ], 902 }, 903 "transformationErrorHandling": { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`. 904 "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors 905 }, 906 "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error 907 }, 908 }, 909 }, 910 "deidentifyTemplateName": "A String", # Template to use. Any configuration directly specified in deidentify_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged. 911 "inspectConfig": { # Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used. # Configuration for the inspector. Items specified here will override the template referenced by the inspect_template_name argument. 912 "contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included. 913 "A String", 914 ], 915 "customInfoTypes": [ # CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more. 916 { # Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question. 917 "detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType. 918 { # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a `CustomInfoType` to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the `surrogate_type` custom infoType. 919 "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule. 920 "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword. 921 "groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. 922 42, 923 ], 924 "pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. 925 }, 926 "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings. 927 "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value. 928 "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`. 929 }, 930 "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question. 931 "windowAfter": 42, # Number of characters after the finding to consider. 932 "windowBefore": 42, # Number of characters before the finding to consider. 933 }, 934 }, 935 }, 936 ], 937 "dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # A list of phrases to detect as a CustomInfoType. 938 "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted. 939 "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt 940 }, 941 "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for. 942 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 943 "A String", 944 ], 945 }, 946 }, 947 "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching. 948 "infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type. 949 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 950 "version": "A String", # Optional version name for this InfoType. 951 }, 952 "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified. 953 "regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType. 954 "groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. 955 42, 956 ], 957 "pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. 958 }, 959 "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`. 960 "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system. 961 "name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`. 962 }, 963 "surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing. 964 }, 965 }, 966 ], 967 "excludeInfoTypes": True or False, # When true, excludes type information of the findings. 968 "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote. 969 "infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time. 970 { # Type of information detected by the API. 971 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 972 "version": "A String", # Optional version name for this InfoType. 973 }, 974 ], 975 "limits": { # Configuration to control the number of findings returned. Cannot be set if de-identification is requested. # Configuration to control the number of findings returned. 976 "maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes. 977 { # Max findings configuration per infoType, per content item or long running DlpJob. 978 "infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit. 979 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 980 "version": "A String", # Optional version name for this InfoType. 981 }, 982 "maxFindings": 42, # Max findings limit for the given infoType. 983 }, 984 ], 985 "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored. 986 "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher. 987 }, 988 "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more. 989 "ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type. 990 { # Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set. 991 "infoTypes": [ # List of infoTypes this rule set is applied to. 992 { # Type of information detected by the API. 993 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 994 "version": "A String", # Optional version name for this InfoType. 995 }, 996 ], 997 "rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order. 998 { # A single inspection rule to be applied to infoTypes, specified in `InspectionRuleSet`. 999 "exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in `InspectionRuleSet` are removed from results. # Exclusion rule. 1000 "dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule. 1001 "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted. 1002 "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt 1003 }, 1004 "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for. 1005 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 1006 "A String", 1007 ], 1008 }, 1009 }, 1010 "excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule. 1011 "infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "[email protected]" to generate only a single finding, namely email address. 1012 { # Type of information detected by the API. 1013 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 1014 "version": "A String", # Optional version name for this InfoType. 1015 }, 1016 ], 1017 }, 1018 "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details. 1019 "regex": { # Message defining a custom regular expression. # Regular expression which defines the rule. 1020 "groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. 1021 42, 1022 ], 1023 "pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. 1024 }, 1025 }, 1026 "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule. 1027 "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword. 1028 "groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. 1029 42, 1030 ], 1031 "pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. 1032 }, 1033 "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings. 1034 "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value. 1035 "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`. 1036 }, 1037 "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question. 1038 "windowAfter": 42, # Number of characters after the finding to consider. 1039 "windowBefore": 42, # Number of characters before the finding to consider. 1040 }, 1041 }, 1042 }, 1043 ], 1044 }, 1045 ], 1046 }, 1047 "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged. 1048 "item": { # Container structure for the content to inspect. # The item to de-identify. Will be treated as text. 1049 "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`. 1050 "data": "A String", # Content data to inspect or redact. 1051 "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8. 1052 }, 1053 "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-structured-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. 1054 "headers": [ # Headers of the table. 1055 { # General identifier of a data field in a storage service. 1056 "name": "A String", # Name describing the field. 1057 }, 1058 ], 1059 "rows": [ # Rows of the table. 1060 { # Values of the row. 1061 "values": [ # Individual cells. 1062 { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. 1063 "booleanValue": True or False, # boolean 1064 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1065 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1066 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1067 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1068 }, 1069 "dayOfWeekValue": "A String", # day of week 1070 "floatValue": 3.14, # float 1071 "integerValue": "A String", # integer 1072 "stringValue": "A String", # string 1073 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1074 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1075 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1076 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1077 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1078 }, 1079 "timestampValue": "A String", # timestamp 1080 }, 1081 ], 1082 }, 1083 ], 1084 }, 1085 "value": "A String", # String data to inspect or redact. 1086 }, 1087 "locationId": "A String", # Deprecated. This field has no effect. 1088} 1089 1090 x__xgafv: string, V1 error format. 1091 Allowed values 1092 1 - v1 error format 1093 2 - v2 error format 1094 1095Returns: 1096 An object of the form: 1097 1098 { # Results of de-identifying a ContentItem. 1099 "item": { # Container structure for the content to inspect. # The de-identified item. 1100 "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`. 1101 "data": "A String", # Content data to inspect or redact. 1102 "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8. 1103 }, 1104 "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-structured-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. 1105 "headers": [ # Headers of the table. 1106 { # General identifier of a data field in a storage service. 1107 "name": "A String", # Name describing the field. 1108 }, 1109 ], 1110 "rows": [ # Rows of the table. 1111 { # Values of the row. 1112 "values": [ # Individual cells. 1113 { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. 1114 "booleanValue": True or False, # boolean 1115 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1116 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1117 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1118 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1119 }, 1120 "dayOfWeekValue": "A String", # day of week 1121 "floatValue": 3.14, # float 1122 "integerValue": "A String", # integer 1123 "stringValue": "A String", # string 1124 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1125 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1126 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1127 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1128 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1129 }, 1130 "timestampValue": "A String", # timestamp 1131 }, 1132 ], 1133 }, 1134 ], 1135 }, 1136 "value": "A String", # String data to inspect or redact. 1137 }, 1138 "overview": { # Overview of the modifications that occurred. # An overview of the changes that were made on the `item`. 1139 "transformationSummaries": [ # Transformations applied to the dataset. 1140 { # Summary of a single transformation. Only one of 'transformation', 'field_transformation', or 'record_suppress' will be set. 1141 "field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId. 1142 "name": "A String", # Name describing the field. 1143 }, 1144 "fieldTransformations": [ # The field transformation that was applied. If multiple field transformations are requested for a single field, this list will contain all of them; otherwise, only one is supplied. 1145 { # The transformation to apply to the field. 1146 "condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85. 1147 "expressions": { # An expression, consisting or an operator and conditions. # An expression. 1148 "conditions": { # A collection of conditions. # Conditions to apply to the expression. 1149 "conditions": [ # A collection of conditions. 1150 { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false. 1151 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. 1152 "name": "A String", # Name describing the field. 1153 }, 1154 "operator": "A String", # Required. Operator used to compare the field or infoType to the value. 1155 "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.] 1156 "booleanValue": True or False, # boolean 1157 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1158 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1159 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1160 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1161 }, 1162 "dayOfWeekValue": "A String", # day of week 1163 "floatValue": 3.14, # float 1164 "integerValue": "A String", # integer 1165 "stringValue": "A String", # string 1166 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1167 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1168 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1169 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1170 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1171 }, 1172 "timestampValue": "A String", # timestamp 1173 }, 1174 }, 1175 ], 1176 }, 1177 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`. 1178 }, 1179 }, 1180 "fields": [ # Required. Input field(s) to apply the transformation to. When you have columns that reference their position within a list, omit the index from the FieldId. FieldId name matching ignores the index. For example, instead of "contact.nums[0].type", use "contact.nums.type". 1181 { # General identifier of a data field in a storage service. 1182 "name": "A String", # Name describing the field. 1183 }, 1184 ], 1185 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`. 1186 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType. 1187 { # A transformation to apply to text that is identified as a specific info_type. 1188 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`. 1189 { # Type of information detected by the API. 1190 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 1191 "version": "A String", # Optional version name for this InfoType. 1192 }, 1193 ], 1194 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. 1195 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing 1196 "buckets": [ # Set of buckets. Ranges must be non-overlapping. 1197 { # Bucket is represented as a range, along with replacement values. 1198 "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min. 1199 "booleanValue": True or False, # boolean 1200 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1201 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1202 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1203 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1204 }, 1205 "dayOfWeekValue": "A String", # day of week 1206 "floatValue": 3.14, # float 1207 "integerValue": "A String", # integer 1208 "stringValue": "A String", # string 1209 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1210 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1211 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1212 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1213 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1214 }, 1215 "timestampValue": "A String", # timestamp 1216 }, 1217 "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used. 1218 "booleanValue": True or False, # boolean 1219 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1220 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1221 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1222 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1223 }, 1224 "dayOfWeekValue": "A String", # day of week 1225 "floatValue": 3.14, # float 1226 "integerValue": "A String", # integer 1227 "stringValue": "A String", # string 1228 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1229 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1230 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1231 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1232 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1233 }, 1234 "timestampValue": "A String", # timestamp 1235 }, 1236 "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket. 1237 "booleanValue": True or False, # boolean 1238 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1239 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1240 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1241 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1242 }, 1243 "dayOfWeekValue": "A String", # day of week 1244 "floatValue": 3.14, # float 1245 "integerValue": "A String", # integer 1246 "stringValue": "A String", # string 1247 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1248 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1249 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1250 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1251 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1252 }, 1253 "timestampValue": "A String", # timestamp 1254 }, 1255 }, 1256 ], 1257 }, 1258 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask 1259 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. 1260 { # Characters to skip when doing deidentification of a value. These will be left alone and skipped. 1261 "charactersToSkip": "A String", # Characters to not transform when masking. 1262 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation. 1263 }, 1264 ], 1265 "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. 1266 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. 1267 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. 1268 }, 1269 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto 1270 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. 1271 "name": "A String", # Name describing the field. 1272 }, 1273 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. 1274 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 1275 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 1276 "wrappedKey": "A String", # Required. The wrapped data crypto key. 1277 }, 1278 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 1279 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 1280 }, 1281 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 1282 "key": "A String", # Required. A 128/192/256 bit key. 1283 }, 1284 }, 1285 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. 1286 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 1287 "version": "A String", # Optional version name for this InfoType. 1288 }, 1289 }, 1290 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto 1291 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function. 1292 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 1293 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 1294 "wrappedKey": "A String", # Required. The wrapped data crypto key. 1295 }, 1296 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 1297 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 1298 }, 1299 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 1300 "key": "A String", # Required. A 128/192/256 bit key. 1301 }, 1302 }, 1303 }, 1304 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe 1305 "commonAlphabet": "A String", # Common alphabets. 1306 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 1307 "name": "A String", # Name describing the field. 1308 }, 1309 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm. 1310 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 1311 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 1312 "wrappedKey": "A String", # Required. The wrapped data crypto key. 1313 }, 1314 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 1315 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 1316 }, 1317 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 1318 "key": "A String", # Required. A 128/192/256 bit key. 1319 }, 1320 }, 1321 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/ 1322 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. 1323 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE 1324 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 1325 "version": "A String", # Optional version name for this InfoType. 1326 }, 1327 }, 1328 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift 1329 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. 1330 "name": "A String", # Name describing the field. 1331 }, 1332 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. 1333 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 1334 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 1335 "wrappedKey": "A String", # Required. The wrapped data crypto key. 1336 }, 1337 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 1338 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 1339 }, 1340 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 1341 "key": "A String", # Required. A 128/192/256 bit key. 1342 }, 1343 }, 1344 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. 1345 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. 1346 }, 1347 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing 1348 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. 1349 "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". 1350 "booleanValue": True or False, # boolean 1351 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1352 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1353 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1354 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1355 }, 1356 "dayOfWeekValue": "A String", # day of week 1357 "floatValue": 3.14, # float 1358 "integerValue": "A String", # integer 1359 "stringValue": "A String", # string 1360 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1361 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1362 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1363 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1364 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1365 }, 1366 "timestampValue": "A String", # timestamp 1367 }, 1368 "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". 1369 "booleanValue": True or False, # boolean 1370 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1371 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1372 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1373 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1374 }, 1375 "dayOfWeekValue": "A String", # day of week 1376 "floatValue": 3.14, # float 1377 "integerValue": "A String", # integer 1378 "stringValue": "A String", # string 1379 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1380 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1381 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1382 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1383 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1384 }, 1385 "timestampValue": "A String", # timestamp 1386 }, 1387 }, 1388 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact 1389 }, 1390 "replaceConfig": { # Replace each input value with a given `Value`. # Replace with a specified value. 1391 "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with. 1392 "booleanValue": True or False, # boolean 1393 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1394 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1395 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1396 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1397 }, 1398 "dayOfWeekValue": "A String", # day of week 1399 "floatValue": 3.14, # float 1400 "integerValue": "A String", # integer 1401 "stringValue": "A String", # string 1402 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1403 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1404 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1405 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1406 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1407 }, 1408 "timestampValue": "A String", # timestamp 1409 }, 1410 }, 1411 "replaceDictionaryConfig": { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary. 1412 "wordList": { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. 1413 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 1414 "A String", 1415 ], 1416 }, 1417 }, 1418 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype 1419 }, 1420 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction 1421 "partToExtract": "A String", # The part of the time to keep. 1422 }, 1423 }, 1424 }, 1425 ], 1426 }, 1427 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. 1428 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing 1429 "buckets": [ # Set of buckets. Ranges must be non-overlapping. 1430 { # Bucket is represented as a range, along with replacement values. 1431 "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min. 1432 "booleanValue": True or False, # boolean 1433 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1434 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1435 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1436 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1437 }, 1438 "dayOfWeekValue": "A String", # day of week 1439 "floatValue": 3.14, # float 1440 "integerValue": "A String", # integer 1441 "stringValue": "A String", # string 1442 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1443 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1444 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1445 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1446 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1447 }, 1448 "timestampValue": "A String", # timestamp 1449 }, 1450 "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used. 1451 "booleanValue": True or False, # boolean 1452 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1453 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1454 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1455 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1456 }, 1457 "dayOfWeekValue": "A String", # day of week 1458 "floatValue": 3.14, # float 1459 "integerValue": "A String", # integer 1460 "stringValue": "A String", # string 1461 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1462 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1463 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1464 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1465 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1466 }, 1467 "timestampValue": "A String", # timestamp 1468 }, 1469 "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket. 1470 "booleanValue": True or False, # boolean 1471 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1472 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1473 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1474 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1475 }, 1476 "dayOfWeekValue": "A String", # day of week 1477 "floatValue": 3.14, # float 1478 "integerValue": "A String", # integer 1479 "stringValue": "A String", # string 1480 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1481 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1482 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1483 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1484 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1485 }, 1486 "timestampValue": "A String", # timestamp 1487 }, 1488 }, 1489 ], 1490 }, 1491 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask 1492 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. 1493 { # Characters to skip when doing deidentification of a value. These will be left alone and skipped. 1494 "charactersToSkip": "A String", # Characters to not transform when masking. 1495 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation. 1496 }, 1497 ], 1498 "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. 1499 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. 1500 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. 1501 }, 1502 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto 1503 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. 1504 "name": "A String", # Name describing the field. 1505 }, 1506 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. 1507 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 1508 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 1509 "wrappedKey": "A String", # Required. The wrapped data crypto key. 1510 }, 1511 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 1512 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 1513 }, 1514 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 1515 "key": "A String", # Required. A 128/192/256 bit key. 1516 }, 1517 }, 1518 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. 1519 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 1520 "version": "A String", # Optional version name for this InfoType. 1521 }, 1522 }, 1523 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto 1524 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function. 1525 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 1526 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 1527 "wrappedKey": "A String", # Required. The wrapped data crypto key. 1528 }, 1529 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 1530 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 1531 }, 1532 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 1533 "key": "A String", # Required. A 128/192/256 bit key. 1534 }, 1535 }, 1536 }, 1537 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe 1538 "commonAlphabet": "A String", # Common alphabets. 1539 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 1540 "name": "A String", # Name describing the field. 1541 }, 1542 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm. 1543 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 1544 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 1545 "wrappedKey": "A String", # Required. The wrapped data crypto key. 1546 }, 1547 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 1548 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 1549 }, 1550 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 1551 "key": "A String", # Required. A 128/192/256 bit key. 1552 }, 1553 }, 1554 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/ 1555 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. 1556 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE 1557 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 1558 "version": "A String", # Optional version name for this InfoType. 1559 }, 1560 }, 1561 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift 1562 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. 1563 "name": "A String", # Name describing the field. 1564 }, 1565 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. 1566 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 1567 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 1568 "wrappedKey": "A String", # Required. The wrapped data crypto key. 1569 }, 1570 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 1571 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 1572 }, 1573 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 1574 "key": "A String", # Required. A 128/192/256 bit key. 1575 }, 1576 }, 1577 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. 1578 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. 1579 }, 1580 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing 1581 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. 1582 "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". 1583 "booleanValue": True or False, # boolean 1584 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1585 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1586 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1587 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1588 }, 1589 "dayOfWeekValue": "A String", # day of week 1590 "floatValue": 3.14, # float 1591 "integerValue": "A String", # integer 1592 "stringValue": "A String", # string 1593 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1594 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1595 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1596 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1597 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1598 }, 1599 "timestampValue": "A String", # timestamp 1600 }, 1601 "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". 1602 "booleanValue": True or False, # boolean 1603 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1604 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1605 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1606 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1607 }, 1608 "dayOfWeekValue": "A String", # day of week 1609 "floatValue": 3.14, # float 1610 "integerValue": "A String", # integer 1611 "stringValue": "A String", # string 1612 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1613 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1614 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1615 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1616 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1617 }, 1618 "timestampValue": "A String", # timestamp 1619 }, 1620 }, 1621 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact 1622 }, 1623 "replaceConfig": { # Replace each input value with a given `Value`. # Replace with a specified value. 1624 "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with. 1625 "booleanValue": True or False, # boolean 1626 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1627 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1628 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1629 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1630 }, 1631 "dayOfWeekValue": "A String", # day of week 1632 "floatValue": 3.14, # float 1633 "integerValue": "A String", # integer 1634 "stringValue": "A String", # string 1635 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1636 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1637 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1638 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1639 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1640 }, 1641 "timestampValue": "A String", # timestamp 1642 }, 1643 }, 1644 "replaceDictionaryConfig": { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary. 1645 "wordList": { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. 1646 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 1647 "A String", 1648 ], 1649 }, 1650 }, 1651 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype 1652 }, 1653 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction 1654 "partToExtract": "A String", # The part of the time to keep. 1655 }, 1656 }, 1657 }, 1658 ], 1659 "infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType. 1660 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 1661 "version": "A String", # Optional version name for this InfoType. 1662 }, 1663 "recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to true. # The specific suppression option these stats apply to. 1664 "condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content. 1665 "expressions": { # An expression, consisting or an operator and conditions. # An expression. 1666 "conditions": { # A collection of conditions. # Conditions to apply to the expression. 1667 "conditions": [ # A collection of conditions. 1668 { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false. 1669 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. 1670 "name": "A String", # Name describing the field. 1671 }, 1672 "operator": "A String", # Required. Operator used to compare the field or infoType to the value. 1673 "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.] 1674 "booleanValue": True or False, # boolean 1675 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1676 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1677 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1678 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1679 }, 1680 "dayOfWeekValue": "A String", # day of week 1681 "floatValue": 3.14, # float 1682 "integerValue": "A String", # integer 1683 "stringValue": "A String", # string 1684 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1685 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1686 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1687 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1688 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1689 }, 1690 "timestampValue": "A String", # timestamp 1691 }, 1692 }, 1693 ], 1694 }, 1695 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`. 1696 }, 1697 }, 1698 }, 1699 "results": [ # Collection of all transformations that took place or had an error. 1700 { # A collection that informs the user the number of times a particular `TransformationResultCode` and error details occurred. 1701 "code": "A String", # Outcome of the transformation. 1702 "count": "A String", # Number of transformations counted by this result. 1703 "details": "A String", # A place for warnings or errors to show up if a transformation didn't work as expected. 1704 }, 1705 ], 1706 "transformation": { # A rule for transforming a value. # The specific transformation these stats apply to. 1707 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing 1708 "buckets": [ # Set of buckets. Ranges must be non-overlapping. 1709 { # Bucket is represented as a range, along with replacement values. 1710 "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min. 1711 "booleanValue": True or False, # boolean 1712 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1713 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1714 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1715 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1716 }, 1717 "dayOfWeekValue": "A String", # day of week 1718 "floatValue": 3.14, # float 1719 "integerValue": "A String", # integer 1720 "stringValue": "A String", # string 1721 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1722 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1723 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1724 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1725 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1726 }, 1727 "timestampValue": "A String", # timestamp 1728 }, 1729 "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used. 1730 "booleanValue": True or False, # boolean 1731 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1732 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1733 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1734 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1735 }, 1736 "dayOfWeekValue": "A String", # day of week 1737 "floatValue": 3.14, # float 1738 "integerValue": "A String", # integer 1739 "stringValue": "A String", # string 1740 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1741 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1742 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1743 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1744 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1745 }, 1746 "timestampValue": "A String", # timestamp 1747 }, 1748 "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket. 1749 "booleanValue": True or False, # boolean 1750 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1751 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1752 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1753 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1754 }, 1755 "dayOfWeekValue": "A String", # day of week 1756 "floatValue": 3.14, # float 1757 "integerValue": "A String", # integer 1758 "stringValue": "A String", # string 1759 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1760 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1761 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1762 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1763 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1764 }, 1765 "timestampValue": "A String", # timestamp 1766 }, 1767 }, 1768 ], 1769 }, 1770 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask 1771 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. 1772 { # Characters to skip when doing deidentification of a value. These will be left alone and skipped. 1773 "charactersToSkip": "A String", # Characters to not transform when masking. 1774 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation. 1775 }, 1776 ], 1777 "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. 1778 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. 1779 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. 1780 }, 1781 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto 1782 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. 1783 "name": "A String", # Name describing the field. 1784 }, 1785 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. 1786 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 1787 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 1788 "wrappedKey": "A String", # Required. The wrapped data crypto key. 1789 }, 1790 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 1791 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 1792 }, 1793 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 1794 "key": "A String", # Required. A 128/192/256 bit key. 1795 }, 1796 }, 1797 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. 1798 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 1799 "version": "A String", # Optional version name for this InfoType. 1800 }, 1801 }, 1802 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto 1803 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function. 1804 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 1805 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 1806 "wrappedKey": "A String", # Required. The wrapped data crypto key. 1807 }, 1808 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 1809 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 1810 }, 1811 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 1812 "key": "A String", # Required. A 128/192/256 bit key. 1813 }, 1814 }, 1815 }, 1816 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe 1817 "commonAlphabet": "A String", # Common alphabets. 1818 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 1819 "name": "A String", # Name describing the field. 1820 }, 1821 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm. 1822 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 1823 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 1824 "wrappedKey": "A String", # Required. The wrapped data crypto key. 1825 }, 1826 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 1827 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 1828 }, 1829 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 1830 "key": "A String", # Required. A 128/192/256 bit key. 1831 }, 1832 }, 1833 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/ 1834 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. 1835 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE 1836 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 1837 "version": "A String", # Optional version name for this InfoType. 1838 }, 1839 }, 1840 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift 1841 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. 1842 "name": "A String", # Name describing the field. 1843 }, 1844 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. 1845 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 1846 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 1847 "wrappedKey": "A String", # Required. The wrapped data crypto key. 1848 }, 1849 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 1850 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 1851 }, 1852 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 1853 "key": "A String", # Required. A 128/192/256 bit key. 1854 }, 1855 }, 1856 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. 1857 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. 1858 }, 1859 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing 1860 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. 1861 "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". 1862 "booleanValue": True or False, # boolean 1863 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1864 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1865 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1866 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1867 }, 1868 "dayOfWeekValue": "A String", # day of week 1869 "floatValue": 3.14, # float 1870 "integerValue": "A String", # integer 1871 "stringValue": "A String", # string 1872 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1873 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1874 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1875 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1876 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1877 }, 1878 "timestampValue": "A String", # timestamp 1879 }, 1880 "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". 1881 "booleanValue": True or False, # boolean 1882 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1883 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1884 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1885 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1886 }, 1887 "dayOfWeekValue": "A String", # day of week 1888 "floatValue": 3.14, # float 1889 "integerValue": "A String", # integer 1890 "stringValue": "A String", # string 1891 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1892 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1893 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1894 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1895 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1896 }, 1897 "timestampValue": "A String", # timestamp 1898 }, 1899 }, 1900 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact 1901 }, 1902 "replaceConfig": { # Replace each input value with a given `Value`. # Replace with a specified value. 1903 "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with. 1904 "booleanValue": True or False, # boolean 1905 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 1906 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 1907 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 1908 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 1909 }, 1910 "dayOfWeekValue": "A String", # day of week 1911 "floatValue": 3.14, # float 1912 "integerValue": "A String", # integer 1913 "stringValue": "A String", # string 1914 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 1915 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 1916 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 1917 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 1918 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 1919 }, 1920 "timestampValue": "A String", # timestamp 1921 }, 1922 }, 1923 "replaceDictionaryConfig": { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary. 1924 "wordList": { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. 1925 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 1926 "A String", 1927 ], 1928 }, 1929 }, 1930 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype 1931 }, 1932 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction 1933 "partToExtract": "A String", # The part of the time to keep. 1934 }, 1935 }, 1936 "transformedBytes": "A String", # Total size in bytes that were transformed in some way. 1937 }, 1938 ], 1939 "transformedBytes": "A String", # Total size in bytes that were transformed in some way. 1940 }, 1941}</pre> 1942</div> 1943 1944<div class="method"> 1945 <code class="details" id="inspect">inspect(parent, body=None, x__xgafv=None)</code> 1946 <pre>Finds potentially sensitive info in content. This method has limits on input size, processing time, and output size. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. For how to guides, see https://cloud.google.com/dlp/docs/inspecting-images and https://cloud.google.com/dlp/docs/inspecting-text, 1947 1948Args: 1949 parent: string, Parent resource name. The format of this value varies depending on whether you have [specified a processing location](https://cloud.google.com/dlp/docs/specifying-location): + Projects scope, location specified: `projects/`PROJECT_ID`/locations/`LOCATION_ID + Projects scope, no location specified (defaults to global): `projects/`PROJECT_ID The following example `parent` string specifies a parent project with the identifier `example-project`, and specifies the `europe-west3` location for processing data: parent=projects/example-project/locations/europe-west3 (required) 1950 body: object, The request body. 1951 The object takes the form of: 1952 1953{ # Request to search for potentially sensitive info in a ContentItem. 1954 "inspectConfig": { # Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used. # Configuration for the inspector. What specified here will override the template referenced by the inspect_template_name argument. 1955 "contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included. 1956 "A String", 1957 ], 1958 "customInfoTypes": [ # CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more. 1959 { # Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question. 1960 "detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType. 1961 { # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a `CustomInfoType` to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the `surrogate_type` custom infoType. 1962 "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule. 1963 "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword. 1964 "groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. 1965 42, 1966 ], 1967 "pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. 1968 }, 1969 "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings. 1970 "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value. 1971 "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`. 1972 }, 1973 "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question. 1974 "windowAfter": 42, # Number of characters after the finding to consider. 1975 "windowBefore": 42, # Number of characters before the finding to consider. 1976 }, 1977 }, 1978 }, 1979 ], 1980 "dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # A list of phrases to detect as a CustomInfoType. 1981 "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted. 1982 "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt 1983 }, 1984 "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for. 1985 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 1986 "A String", 1987 ], 1988 }, 1989 }, 1990 "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching. 1991 "infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type. 1992 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 1993 "version": "A String", # Optional version name for this InfoType. 1994 }, 1995 "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified. 1996 "regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType. 1997 "groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. 1998 42, 1999 ], 2000 "pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. 2001 }, 2002 "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`. 2003 "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system. 2004 "name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`. 2005 }, 2006 "surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing. 2007 }, 2008 }, 2009 ], 2010 "excludeInfoTypes": True or False, # When true, excludes type information of the findings. 2011 "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote. 2012 "infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time. 2013 { # Type of information detected by the API. 2014 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2015 "version": "A String", # Optional version name for this InfoType. 2016 }, 2017 ], 2018 "limits": { # Configuration to control the number of findings returned. Cannot be set if de-identification is requested. # Configuration to control the number of findings returned. 2019 "maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes. 2020 { # Max findings configuration per infoType, per content item or long running DlpJob. 2021 "infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit. 2022 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2023 "version": "A String", # Optional version name for this InfoType. 2024 }, 2025 "maxFindings": 42, # Max findings limit for the given infoType. 2026 }, 2027 ], 2028 "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored. 2029 "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher. 2030 }, 2031 "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more. 2032 "ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type. 2033 { # Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set. 2034 "infoTypes": [ # List of infoTypes this rule set is applied to. 2035 { # Type of information detected by the API. 2036 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2037 "version": "A String", # Optional version name for this InfoType. 2038 }, 2039 ], 2040 "rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order. 2041 { # A single inspection rule to be applied to infoTypes, specified in `InspectionRuleSet`. 2042 "exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in `InspectionRuleSet` are removed from results. # Exclusion rule. 2043 "dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule. 2044 "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted. 2045 "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt 2046 }, 2047 "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for. 2048 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 2049 "A String", 2050 ], 2051 }, 2052 }, 2053 "excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule. 2054 "infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "[email protected]" to generate only a single finding, namely email address. 2055 { # Type of information detected by the API. 2056 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2057 "version": "A String", # Optional version name for this InfoType. 2058 }, 2059 ], 2060 }, 2061 "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details. 2062 "regex": { # Message defining a custom regular expression. # Regular expression which defines the rule. 2063 "groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. 2064 42, 2065 ], 2066 "pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. 2067 }, 2068 }, 2069 "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule. 2070 "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword. 2071 "groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. 2072 42, 2073 ], 2074 "pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. 2075 }, 2076 "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings. 2077 "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value. 2078 "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`. 2079 }, 2080 "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question. 2081 "windowAfter": 42, # Number of characters after the finding to consider. 2082 "windowBefore": 42, # Number of characters before the finding to consider. 2083 }, 2084 }, 2085 }, 2086 ], 2087 }, 2088 ], 2089 }, 2090 "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged. 2091 "item": { # Container structure for the content to inspect. # The item to inspect. 2092 "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`. 2093 "data": "A String", # Content data to inspect or redact. 2094 "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8. 2095 }, 2096 "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-structured-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. 2097 "headers": [ # Headers of the table. 2098 { # General identifier of a data field in a storage service. 2099 "name": "A String", # Name describing the field. 2100 }, 2101 ], 2102 "rows": [ # Rows of the table. 2103 { # Values of the row. 2104 "values": [ # Individual cells. 2105 { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. 2106 "booleanValue": True or False, # boolean 2107 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2108 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2109 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2110 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2111 }, 2112 "dayOfWeekValue": "A String", # day of week 2113 "floatValue": 3.14, # float 2114 "integerValue": "A String", # integer 2115 "stringValue": "A String", # string 2116 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2117 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2118 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2119 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2120 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2121 }, 2122 "timestampValue": "A String", # timestamp 2123 }, 2124 ], 2125 }, 2126 ], 2127 }, 2128 "value": "A String", # String data to inspect or redact. 2129 }, 2130 "locationId": "A String", # Deprecated. This field has no effect. 2131} 2132 2133 x__xgafv: string, V1 error format. 2134 Allowed values 2135 1 - v1 error format 2136 2 - v2 error format 2137 2138Returns: 2139 An object of the form: 2140 2141 { # Results of inspecting an item. 2142 "result": { # All the findings for a single scanned item. # The findings. 2143 "findings": [ # List of findings for an item. 2144 { # Represents a piece of potentially sensitive content. 2145 "createTime": "A String", # Timestamp when finding was detected. 2146 "findingId": "A String", # The unique finding id. 2147 "infoType": { # Type of information detected by the API. # The type of content that might have been found. Provided if `excluded_types` is false. 2148 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2149 "version": "A String", # Optional version name for this InfoType. 2150 }, 2151 "jobCreateTime": "A String", # Time the job started that produced this finding. 2152 "jobName": "A String", # The job that stored the finding. 2153 "labels": { # The labels associated with this `Finding`. Label keys must be between 1 and 63 characters long and must conform to the following regular expression: `[a-z]([-a-z0-9]*[a-z0-9])?`. Label values must be between 0 and 63 characters long and must conform to the regular expression `([a-z]([-a-z0-9]*[a-z0-9])?)?`. No more than 10 labels can be associated with a given finding. Examples: * `"environment" : "production"` * `"pipeline" : "etl"` 2154 "a_key": "A String", 2155 }, 2156 "likelihood": "A String", # Confidence of how likely it is that the `info_type` is correct. 2157 "location": { # Specifies the location of the finding. # Where the content was found. 2158 "byteRange": { # Generic half-open interval [start, end) # Zero-based byte offsets delimiting the finding. These are relative to the finding's containing element. Note that when the content is not textual, this references the UTF-8 encoded textual representation of the content. Omitted if content is an image. 2159 "end": "A String", # Index of the last character of the range (exclusive). 2160 "start": "A String", # Index of the first character of the range (inclusive). 2161 }, 2162 "codepointRange": { # Generic half-open interval [start, end) # Unicode character offsets delimiting the finding. These are relative to the finding's containing element. Provided when the content is text. 2163 "end": "A String", # Index of the last character of the range (exclusive). 2164 "start": "A String", # Index of the first character of the range (inclusive). 2165 }, 2166 "container": { # Represents a container that may contain DLP findings. Examples of a container include a file, table, or database record. # Information about the container where this finding occurred, if available. 2167 "fullPath": "A String", # A string representation of the full container name. Examples: - BigQuery: 'Project:DataSetId.TableId' - Google Cloud Storage: 'gs://Bucket/folders/filename.txt' 2168 "projectId": "A String", # Project where the finding was found. Can be different from the project that owns the finding. 2169 "relativePath": "A String", # The rest of the path after the root. Examples: - For BigQuery table `project_id:dataset_id.table_id`, the relative path is `table_id` - Google Cloud Storage file `gs://bucket/folder/filename.txt`, the relative path is `folder/filename.txt` 2170 "rootPath": "A String", # The root of the container. Examples: - For BigQuery table `project_id:dataset_id.table_id`, the root is `dataset_id` - For Google Cloud Storage file `gs://bucket/folder/filename.txt`, the root is `gs://bucket` 2171 "type": "A String", # Container type, for example BigQuery or Google Cloud Storage. 2172 "updateTime": "A String", # Findings container modification timestamp, if applicable. For Google Cloud Storage contains last file modification timestamp. For BigQuery table contains last_modified_time property. For Datastore - not populated. 2173 "version": "A String", # Findings container version, if available ("generation" for Google Cloud Storage). 2174 }, 2175 "contentLocations": [ # List of nested objects pointing to the precise location of the finding within the file or record. 2176 { # Precise location of the finding within a document, record, image, or metadata container. 2177 "containerName": "A String", # Name of the container where the finding is located. The top level name is the source file name or table name. Names of some common storage containers are formatted as follows: * BigQuery tables: `{project_id}:{dataset_id}.{table_id}` * Cloud Storage files: `gs://{bucket}/{path}` * Datastore namespace: {namespace} Nested names could be absent if the embedded object has no string identifier (for an example an image contained within a document). 2178 "containerTimestamp": "A String", # Findings container modification timestamp, if applicable. For Google Cloud Storage contains last file modification timestamp. For BigQuery table contains last_modified_time property. For Datastore - not populated. 2179 "containerVersion": "A String", # Findings container version, if available ("generation" for Google Cloud Storage). 2180 "documentLocation": { # Location of a finding within a document. # Location data for document files. 2181 "fileOffset": "A String", # Offset of the line, from the beginning of the file, where the finding is located. 2182 }, 2183 "imageLocation": { # Location of the finding within an image. # Location within an image's pixels. 2184 "boundingBoxes": [ # Bounding boxes locating the pixels within the image containing the finding. 2185 { # Bounding box encompassing detected text within an image. 2186 "height": 42, # Height of the bounding box in pixels. 2187 "left": 42, # Left coordinate of the bounding box. (0,0) is upper left. 2188 "top": 42, # Top coordinate of the bounding box. (0,0) is upper left. 2189 "width": 42, # Width of the bounding box in pixels. 2190 }, 2191 ], 2192 }, 2193 "metadataLocation": { # Metadata Location # Location within the metadata for inspected content. 2194 "storageLabel": { # Storage metadata label to indicate which metadata entry contains findings. # Storage metadata. 2195 "key": "A String", 2196 }, 2197 "type": "A String", # Type of metadata containing the finding. 2198 }, 2199 "recordLocation": { # Location of a finding within a row or record. # Location within a row or record of a database table. 2200 "fieldId": { # General identifier of a data field in a storage service. # Field id of the field containing the finding. 2201 "name": "A String", # Name describing the field. 2202 }, 2203 "recordKey": { # Message for a unique key indicating a record that contains a finding. # Key of the finding. 2204 "bigQueryKey": { # Row key for identifying a record in BigQuery table. 2205 "rowNumber": "A String", # Row number inferred at the time the table was scanned. This value is nondeterministic, cannot be queried, and may be null for inspection jobs. To locate findings within a table, specify `inspect_job.storage_config.big_query_options.identifying_fields` in `CreateDlpJobRequest`. 2206 "tableReference": { # Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: `:.` or `..`. # Complete BigQuery table reference. 2207 "datasetId": "A String", # Dataset ID of the table. 2208 "projectId": "A String", # The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call. 2209 "tableId": "A String", # Name of the table. 2210 }, 2211 }, 2212 "datastoreKey": { # Record key for a finding in Cloud Datastore. 2213 "entityKey": { # A unique identifier for a Datastore entity. If a key's partition ID or any of its path kinds or names are reserved/read-only, the key is reserved/read-only. A reserved/read-only key is forbidden in certain documented contexts. # Datastore entity key. 2214 "partitionId": { # Datastore partition ID. A partition ID identifies a grouping of entities. The grouping is always by project and namespace, however the namespace ID may be empty. A partition ID contains several dimensions: project ID and namespace ID. # Entities are partitioned into subsets, currently identified by a project ID and namespace ID. Queries are scoped to a single partition. 2215 "namespaceId": "A String", # If not empty, the ID of the namespace to which the entities belong. 2216 "projectId": "A String", # The ID of the project to which the entities belong. 2217 }, 2218 "path": [ # The entity path. An entity path consists of one or more elements composed of a kind and a string or numerical identifier, which identify entities. The first element identifies a _root entity_, the second element identifies a _child_ of the root entity, the third element identifies a child of the second entity, and so forth. The entities identified by all prefixes of the path are called the element's _ancestors_. A path can never be empty, and a path can have at most 100 elements. 2219 { # A (kind, ID/name) pair used to construct a key path. If either name or ID is set, the element is complete. If neither is set, the element is incomplete. 2220 "id": "A String", # The auto-allocated ID of the entity. Never equal to zero. Values less than zero are discouraged and may not be supported in the future. 2221 "kind": "A String", # The kind of the entity. A kind matching regex `__.*__` is reserved/read-only. A kind must not contain more than 1500 bytes when UTF-8 encoded. Cannot be `""`. 2222 "name": "A String", # The name of the entity. A name matching regex `__.*__` is reserved/read-only. A name must not be more than 1500 bytes when UTF-8 encoded. Cannot be `""`. 2223 }, 2224 ], 2225 }, 2226 }, 2227 "idValues": [ # Values of identifying columns in the given row. Order of values matches the order of `identifying_fields` specified in the scanning request. 2228 "A String", 2229 ], 2230 }, 2231 "tableLocation": { # Location of a finding within a table. # Location within a `ContentItem.Table`. 2232 "rowIndex": "A String", # The zero-based index of the row where the finding is located. Only populated for resources that have a natural ordering, not BigQuery. In BigQuery, to identify the row a finding came from, populate BigQueryOptions.identifying_fields with your primary key column names and when you store the findings the value of those columns will be stored inside of Finding. 2233 }, 2234 }, 2235 }, 2236 ], 2237 }, 2238 "name": "A String", # Resource name in format projects/{project}/locations/{location}/findings/{finding} Populated only when viewing persisted findings. 2239 "quote": "A String", # The content that was found. Even if the content is not textual, it may be converted to a textual representation here. Provided if `include_quote` is true and the finding is less than or equal to 4096 bytes long. If the finding exceeds 4096 bytes in length, the quote may be omitted. 2240 "quoteInfo": { # Message for infoType-dependent details parsed from quote. # Contains data parsed from quotes. Only populated if include_quote was set to true and a supported infoType was requested. Currently supported infoTypes: DATE, DATE_OF_BIRTH and TIME. 2241 "dateTime": { # Message for a date time object. e.g. 2018-01-01, 5th August. # The date time indicated by the quote. 2242 "date": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # One or more of the following must be set. Must be a valid date or time value. 2243 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2244 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2245 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2246 }, 2247 "dayOfWeek": "A String", # Day of week 2248 "time": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # Time of day 2249 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2250 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2251 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2252 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2253 }, 2254 "timeZone": { # Time zone of the date time object. # Time zone 2255 "offsetMinutes": 42, # Set only if the offset can be determined. Positive for time ahead of UTC. E.g. For "UTC-9", this value is -540. 2256 }, 2257 }, 2258 }, 2259 "resourceName": "A String", # The job that stored the finding. 2260 "triggerName": "A String", # Job trigger name, if applicable, for this finding. 2261 }, 2262 ], 2263 "findingsTruncated": True or False, # If true, then this item might have more findings than were returned, and the findings returned are an arbitrary subset of all findings. The findings list might be truncated because the input items were too large, or because the server reached the maximum amount of resources allowed for a single API call. For best results, divide the input into smaller batches. 2264 }, 2265}</pre> 2266</div> 2267 2268<div class="method"> 2269 <code class="details" id="reidentify">reidentify(parent, body=None, x__xgafv=None)</code> 2270 <pre>Re-identifies content that has been de-identified. See https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example to learn more. 2271 2272Args: 2273 parent: string, Required. Parent resource name. The format of this value varies depending on whether you have [specified a processing location](https://cloud.google.com/dlp/docs/specifying-location): + Projects scope, location specified: `projects/`PROJECT_ID`/locations/`LOCATION_ID + Projects scope, no location specified (defaults to global): `projects/`PROJECT_ID The following example `parent` string specifies a parent project with the identifier `example-project`, and specifies the `europe-west3` location for processing data: parent=projects/example-project/locations/europe-west3 (required) 2274 body: object, The request body. 2275 The object takes the form of: 2276 2277{ # Request to re-identify an item. 2278 "inspectConfig": { # Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used. # Configuration for the inspector. 2279 "contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included. 2280 "A String", 2281 ], 2282 "customInfoTypes": [ # CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more. 2283 { # Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question. 2284 "detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType. 2285 { # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a `CustomInfoType` to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the `surrogate_type` custom infoType. 2286 "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule. 2287 "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword. 2288 "groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. 2289 42, 2290 ], 2291 "pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. 2292 }, 2293 "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings. 2294 "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value. 2295 "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`. 2296 }, 2297 "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question. 2298 "windowAfter": 42, # Number of characters after the finding to consider. 2299 "windowBefore": 42, # Number of characters before the finding to consider. 2300 }, 2301 }, 2302 }, 2303 ], 2304 "dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # A list of phrases to detect as a CustomInfoType. 2305 "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted. 2306 "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt 2307 }, 2308 "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for. 2309 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 2310 "A String", 2311 ], 2312 }, 2313 }, 2314 "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching. 2315 "infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type. 2316 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2317 "version": "A String", # Optional version name for this InfoType. 2318 }, 2319 "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified. 2320 "regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType. 2321 "groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. 2322 42, 2323 ], 2324 "pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. 2325 }, 2326 "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`. 2327 "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system. 2328 "name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`. 2329 }, 2330 "surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing. 2331 }, 2332 }, 2333 ], 2334 "excludeInfoTypes": True or False, # When true, excludes type information of the findings. 2335 "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote. 2336 "infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time. 2337 { # Type of information detected by the API. 2338 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2339 "version": "A String", # Optional version name for this InfoType. 2340 }, 2341 ], 2342 "limits": { # Configuration to control the number of findings returned. Cannot be set if de-identification is requested. # Configuration to control the number of findings returned. 2343 "maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes. 2344 { # Max findings configuration per infoType, per content item or long running DlpJob. 2345 "infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit. 2346 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2347 "version": "A String", # Optional version name for this InfoType. 2348 }, 2349 "maxFindings": 42, # Max findings limit for the given infoType. 2350 }, 2351 ], 2352 "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored. 2353 "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher. 2354 }, 2355 "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more. 2356 "ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type. 2357 { # Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set. 2358 "infoTypes": [ # List of infoTypes this rule set is applied to. 2359 { # Type of information detected by the API. 2360 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2361 "version": "A String", # Optional version name for this InfoType. 2362 }, 2363 ], 2364 "rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order. 2365 { # A single inspection rule to be applied to infoTypes, specified in `InspectionRuleSet`. 2366 "exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in `InspectionRuleSet` are removed from results. # Exclusion rule. 2367 "dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule. 2368 "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted. 2369 "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt 2370 }, 2371 "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for. 2372 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 2373 "A String", 2374 ], 2375 }, 2376 }, 2377 "excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule. 2378 "infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "[email protected]" to generate only a single finding, namely email address. 2379 { # Type of information detected by the API. 2380 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2381 "version": "A String", # Optional version name for this InfoType. 2382 }, 2383 ], 2384 }, 2385 "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details. 2386 "regex": { # Message defining a custom regular expression. # Regular expression which defines the rule. 2387 "groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. 2388 42, 2389 ], 2390 "pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. 2391 }, 2392 }, 2393 "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule. 2394 "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword. 2395 "groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. 2396 42, 2397 ], 2398 "pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. 2399 }, 2400 "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings. 2401 "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value. 2402 "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`. 2403 }, 2404 "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question. 2405 "windowAfter": 42, # Number of characters after the finding to consider. 2406 "windowBefore": 42, # Number of characters before the finding to consider. 2407 }, 2408 }, 2409 }, 2410 ], 2411 }, 2412 ], 2413 }, 2414 "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in `inspect_config` will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged. 2415 "item": { # Container structure for the content to inspect. # The item to re-identify. Will be treated as text. 2416 "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`. 2417 "data": "A String", # Content data to inspect or redact. 2418 "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8. 2419 }, 2420 "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-structured-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. 2421 "headers": [ # Headers of the table. 2422 { # General identifier of a data field in a storage service. 2423 "name": "A String", # Name describing the field. 2424 }, 2425 ], 2426 "rows": [ # Rows of the table. 2427 { # Values of the row. 2428 "values": [ # Individual cells. 2429 { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. 2430 "booleanValue": True or False, # boolean 2431 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2432 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2433 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2434 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2435 }, 2436 "dayOfWeekValue": "A String", # day of week 2437 "floatValue": 3.14, # float 2438 "integerValue": "A String", # integer 2439 "stringValue": "A String", # string 2440 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2441 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2442 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2443 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2444 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2445 }, 2446 "timestampValue": "A String", # timestamp 2447 }, 2448 ], 2449 }, 2450 ], 2451 }, 2452 "value": "A String", # String data to inspect or redact. 2453 }, 2454 "locationId": "A String", # Deprecated. This field has no effect. 2455 "reidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the re-identification of the content item. This field shares the same proto message type that is used for de-identification, however its usage here is for the reversal of the previous de-identification. Re-identification is performed by examining the transformations used to de-identify the items and executing the reverse. This requires that only reversible transformations be provided here. The reversible transformations are: - `CryptoDeterministicConfig` - `CryptoReplaceFfxFpeConfig` 2456 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere. 2457 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType. 2458 { # A transformation to apply to text that is identified as a specific info_type. 2459 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`. 2460 { # Type of information detected by the API. 2461 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2462 "version": "A String", # Optional version name for this InfoType. 2463 }, 2464 ], 2465 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. 2466 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing 2467 "buckets": [ # Set of buckets. Ranges must be non-overlapping. 2468 { # Bucket is represented as a range, along with replacement values. 2469 "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min. 2470 "booleanValue": True or False, # boolean 2471 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2472 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2473 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2474 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2475 }, 2476 "dayOfWeekValue": "A String", # day of week 2477 "floatValue": 3.14, # float 2478 "integerValue": "A String", # integer 2479 "stringValue": "A String", # string 2480 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2481 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2482 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2483 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2484 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2485 }, 2486 "timestampValue": "A String", # timestamp 2487 }, 2488 "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used. 2489 "booleanValue": True or False, # boolean 2490 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2491 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2492 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2493 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2494 }, 2495 "dayOfWeekValue": "A String", # day of week 2496 "floatValue": 3.14, # float 2497 "integerValue": "A String", # integer 2498 "stringValue": "A String", # string 2499 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2500 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2501 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2502 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2503 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2504 }, 2505 "timestampValue": "A String", # timestamp 2506 }, 2507 "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket. 2508 "booleanValue": True or False, # boolean 2509 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2510 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2511 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2512 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2513 }, 2514 "dayOfWeekValue": "A String", # day of week 2515 "floatValue": 3.14, # float 2516 "integerValue": "A String", # integer 2517 "stringValue": "A String", # string 2518 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2519 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2520 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2521 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2522 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2523 }, 2524 "timestampValue": "A String", # timestamp 2525 }, 2526 }, 2527 ], 2528 }, 2529 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask 2530 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. 2531 { # Characters to skip when doing deidentification of a value. These will be left alone and skipped. 2532 "charactersToSkip": "A String", # Characters to not transform when masking. 2533 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation. 2534 }, 2535 ], 2536 "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. 2537 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. 2538 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. 2539 }, 2540 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto 2541 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. 2542 "name": "A String", # Name describing the field. 2543 }, 2544 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. 2545 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 2546 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 2547 "wrappedKey": "A String", # Required. The wrapped data crypto key. 2548 }, 2549 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 2550 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 2551 }, 2552 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 2553 "key": "A String", # Required. A 128/192/256 bit key. 2554 }, 2555 }, 2556 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. 2557 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2558 "version": "A String", # Optional version name for this InfoType. 2559 }, 2560 }, 2561 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto 2562 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function. 2563 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 2564 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 2565 "wrappedKey": "A String", # Required. The wrapped data crypto key. 2566 }, 2567 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 2568 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 2569 }, 2570 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 2571 "key": "A String", # Required. A 128/192/256 bit key. 2572 }, 2573 }, 2574 }, 2575 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe 2576 "commonAlphabet": "A String", # Common alphabets. 2577 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 2578 "name": "A String", # Name describing the field. 2579 }, 2580 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm. 2581 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 2582 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 2583 "wrappedKey": "A String", # Required. The wrapped data crypto key. 2584 }, 2585 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 2586 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 2587 }, 2588 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 2589 "key": "A String", # Required. A 128/192/256 bit key. 2590 }, 2591 }, 2592 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/ 2593 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. 2594 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE 2595 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2596 "version": "A String", # Optional version name for this InfoType. 2597 }, 2598 }, 2599 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift 2600 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. 2601 "name": "A String", # Name describing the field. 2602 }, 2603 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. 2604 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 2605 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 2606 "wrappedKey": "A String", # Required. The wrapped data crypto key. 2607 }, 2608 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 2609 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 2610 }, 2611 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 2612 "key": "A String", # Required. A 128/192/256 bit key. 2613 }, 2614 }, 2615 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. 2616 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. 2617 }, 2618 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing 2619 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. 2620 "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". 2621 "booleanValue": True or False, # boolean 2622 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2623 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2624 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2625 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2626 }, 2627 "dayOfWeekValue": "A String", # day of week 2628 "floatValue": 3.14, # float 2629 "integerValue": "A String", # integer 2630 "stringValue": "A String", # string 2631 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2632 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2633 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2634 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2635 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2636 }, 2637 "timestampValue": "A String", # timestamp 2638 }, 2639 "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". 2640 "booleanValue": True or False, # boolean 2641 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2642 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2643 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2644 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2645 }, 2646 "dayOfWeekValue": "A String", # day of week 2647 "floatValue": 3.14, # float 2648 "integerValue": "A String", # integer 2649 "stringValue": "A String", # string 2650 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2651 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2652 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2653 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2654 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2655 }, 2656 "timestampValue": "A String", # timestamp 2657 }, 2658 }, 2659 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact 2660 }, 2661 "replaceConfig": { # Replace each input value with a given `Value`. # Replace with a specified value. 2662 "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with. 2663 "booleanValue": True or False, # boolean 2664 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2665 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2666 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2667 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2668 }, 2669 "dayOfWeekValue": "A String", # day of week 2670 "floatValue": 3.14, # float 2671 "integerValue": "A String", # integer 2672 "stringValue": "A String", # string 2673 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2674 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2675 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2676 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2677 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2678 }, 2679 "timestampValue": "A String", # timestamp 2680 }, 2681 }, 2682 "replaceDictionaryConfig": { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary. 2683 "wordList": { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. 2684 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 2685 "A String", 2686 ], 2687 }, 2688 }, 2689 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype 2690 }, 2691 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction 2692 "partToExtract": "A String", # The part of the time to keep. 2693 }, 2694 }, 2695 }, 2696 ], 2697 }, 2698 "recordTransformations": { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table. 2699 "fieldTransformations": [ # Transform the record by applying various field transformations. 2700 { # The transformation to apply to the field. 2701 "condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85. 2702 "expressions": { # An expression, consisting or an operator and conditions. # An expression. 2703 "conditions": { # A collection of conditions. # Conditions to apply to the expression. 2704 "conditions": [ # A collection of conditions. 2705 { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false. 2706 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. 2707 "name": "A String", # Name describing the field. 2708 }, 2709 "operator": "A String", # Required. Operator used to compare the field or infoType to the value. 2710 "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.] 2711 "booleanValue": True or False, # boolean 2712 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2713 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2714 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2715 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2716 }, 2717 "dayOfWeekValue": "A String", # day of week 2718 "floatValue": 3.14, # float 2719 "integerValue": "A String", # integer 2720 "stringValue": "A String", # string 2721 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2722 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2723 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2724 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2725 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2726 }, 2727 "timestampValue": "A String", # timestamp 2728 }, 2729 }, 2730 ], 2731 }, 2732 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`. 2733 }, 2734 }, 2735 "fields": [ # Required. Input field(s) to apply the transformation to. When you have columns that reference their position within a list, omit the index from the FieldId. FieldId name matching ignores the index. For example, instead of "contact.nums[0].type", use "contact.nums.type". 2736 { # General identifier of a data field in a storage service. 2737 "name": "A String", # Name describing the field. 2738 }, 2739 ], 2740 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`. 2741 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType. 2742 { # A transformation to apply to text that is identified as a specific info_type. 2743 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`. 2744 { # Type of information detected by the API. 2745 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2746 "version": "A String", # Optional version name for this InfoType. 2747 }, 2748 ], 2749 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. 2750 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing 2751 "buckets": [ # Set of buckets. Ranges must be non-overlapping. 2752 { # Bucket is represented as a range, along with replacement values. 2753 "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min. 2754 "booleanValue": True or False, # boolean 2755 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2756 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2757 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2758 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2759 }, 2760 "dayOfWeekValue": "A String", # day of week 2761 "floatValue": 3.14, # float 2762 "integerValue": "A String", # integer 2763 "stringValue": "A String", # string 2764 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2765 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2766 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2767 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2768 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2769 }, 2770 "timestampValue": "A String", # timestamp 2771 }, 2772 "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used. 2773 "booleanValue": True or False, # boolean 2774 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2775 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2776 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2777 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2778 }, 2779 "dayOfWeekValue": "A String", # day of week 2780 "floatValue": 3.14, # float 2781 "integerValue": "A String", # integer 2782 "stringValue": "A String", # string 2783 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2784 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2785 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2786 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2787 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2788 }, 2789 "timestampValue": "A String", # timestamp 2790 }, 2791 "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket. 2792 "booleanValue": True or False, # boolean 2793 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2794 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2795 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2796 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2797 }, 2798 "dayOfWeekValue": "A String", # day of week 2799 "floatValue": 3.14, # float 2800 "integerValue": "A String", # integer 2801 "stringValue": "A String", # string 2802 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2803 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2804 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2805 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2806 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2807 }, 2808 "timestampValue": "A String", # timestamp 2809 }, 2810 }, 2811 ], 2812 }, 2813 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask 2814 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. 2815 { # Characters to skip when doing deidentification of a value. These will be left alone and skipped. 2816 "charactersToSkip": "A String", # Characters to not transform when masking. 2817 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation. 2818 }, 2819 ], 2820 "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. 2821 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. 2822 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. 2823 }, 2824 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto 2825 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. 2826 "name": "A String", # Name describing the field. 2827 }, 2828 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. 2829 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 2830 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 2831 "wrappedKey": "A String", # Required. The wrapped data crypto key. 2832 }, 2833 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 2834 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 2835 }, 2836 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 2837 "key": "A String", # Required. A 128/192/256 bit key. 2838 }, 2839 }, 2840 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. 2841 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2842 "version": "A String", # Optional version name for this InfoType. 2843 }, 2844 }, 2845 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto 2846 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function. 2847 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 2848 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 2849 "wrappedKey": "A String", # Required. The wrapped data crypto key. 2850 }, 2851 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 2852 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 2853 }, 2854 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 2855 "key": "A String", # Required. A 128/192/256 bit key. 2856 }, 2857 }, 2858 }, 2859 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe 2860 "commonAlphabet": "A String", # Common alphabets. 2861 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 2862 "name": "A String", # Name describing the field. 2863 }, 2864 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm. 2865 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 2866 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 2867 "wrappedKey": "A String", # Required. The wrapped data crypto key. 2868 }, 2869 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 2870 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 2871 }, 2872 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 2873 "key": "A String", # Required. A 128/192/256 bit key. 2874 }, 2875 }, 2876 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/ 2877 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. 2878 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE 2879 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 2880 "version": "A String", # Optional version name for this InfoType. 2881 }, 2882 }, 2883 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift 2884 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. 2885 "name": "A String", # Name describing the field. 2886 }, 2887 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. 2888 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 2889 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 2890 "wrappedKey": "A String", # Required. The wrapped data crypto key. 2891 }, 2892 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 2893 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 2894 }, 2895 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 2896 "key": "A String", # Required. A 128/192/256 bit key. 2897 }, 2898 }, 2899 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. 2900 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. 2901 }, 2902 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing 2903 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. 2904 "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". 2905 "booleanValue": True or False, # boolean 2906 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2907 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2908 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2909 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2910 }, 2911 "dayOfWeekValue": "A String", # day of week 2912 "floatValue": 3.14, # float 2913 "integerValue": "A String", # integer 2914 "stringValue": "A String", # string 2915 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2916 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2917 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2918 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2919 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2920 }, 2921 "timestampValue": "A String", # timestamp 2922 }, 2923 "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". 2924 "booleanValue": True or False, # boolean 2925 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2926 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2927 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2928 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2929 }, 2930 "dayOfWeekValue": "A String", # day of week 2931 "floatValue": 3.14, # float 2932 "integerValue": "A String", # integer 2933 "stringValue": "A String", # string 2934 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2935 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2936 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2937 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2938 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2939 }, 2940 "timestampValue": "A String", # timestamp 2941 }, 2942 }, 2943 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact 2944 }, 2945 "replaceConfig": { # Replace each input value with a given `Value`. # Replace with a specified value. 2946 "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with. 2947 "booleanValue": True or False, # boolean 2948 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2949 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2950 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2951 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2952 }, 2953 "dayOfWeekValue": "A String", # day of week 2954 "floatValue": 3.14, # float 2955 "integerValue": "A String", # integer 2956 "stringValue": "A String", # string 2957 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2958 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2959 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 2960 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 2961 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 2962 }, 2963 "timestampValue": "A String", # timestamp 2964 }, 2965 }, 2966 "replaceDictionaryConfig": { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary. 2967 "wordList": { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. 2968 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 2969 "A String", 2970 ], 2971 }, 2972 }, 2973 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype 2974 }, 2975 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction 2976 "partToExtract": "A String", # The part of the time to keep. 2977 }, 2978 }, 2979 }, 2980 ], 2981 }, 2982 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. 2983 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing 2984 "buckets": [ # Set of buckets. Ranges must be non-overlapping. 2985 { # Bucket is represented as a range, along with replacement values. 2986 "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min. 2987 "booleanValue": True or False, # boolean 2988 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 2989 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 2990 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 2991 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 2992 }, 2993 "dayOfWeekValue": "A String", # day of week 2994 "floatValue": 3.14, # float 2995 "integerValue": "A String", # integer 2996 "stringValue": "A String", # string 2997 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 2998 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 2999 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3000 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3001 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3002 }, 3003 "timestampValue": "A String", # timestamp 3004 }, 3005 "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used. 3006 "booleanValue": True or False, # boolean 3007 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3008 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3009 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3010 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3011 }, 3012 "dayOfWeekValue": "A String", # day of week 3013 "floatValue": 3.14, # float 3014 "integerValue": "A String", # integer 3015 "stringValue": "A String", # string 3016 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3017 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3018 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3019 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3020 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3021 }, 3022 "timestampValue": "A String", # timestamp 3023 }, 3024 "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket. 3025 "booleanValue": True or False, # boolean 3026 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3027 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3028 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3029 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3030 }, 3031 "dayOfWeekValue": "A String", # day of week 3032 "floatValue": 3.14, # float 3033 "integerValue": "A String", # integer 3034 "stringValue": "A String", # string 3035 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3036 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3037 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3038 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3039 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3040 }, 3041 "timestampValue": "A String", # timestamp 3042 }, 3043 }, 3044 ], 3045 }, 3046 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask 3047 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. 3048 { # Characters to skip when doing deidentification of a value. These will be left alone and skipped. 3049 "charactersToSkip": "A String", # Characters to not transform when masking. 3050 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation. 3051 }, 3052 ], 3053 "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. 3054 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. 3055 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. 3056 }, 3057 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto 3058 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. 3059 "name": "A String", # Name describing the field. 3060 }, 3061 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. 3062 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3063 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3064 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3065 }, 3066 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3067 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3068 }, 3069 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3070 "key": "A String", # Required. A 128/192/256 bit key. 3071 }, 3072 }, 3073 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. 3074 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 3075 "version": "A String", # Optional version name for this InfoType. 3076 }, 3077 }, 3078 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto 3079 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function. 3080 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3081 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3082 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3083 }, 3084 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3085 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3086 }, 3087 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3088 "key": "A String", # Required. A 128/192/256 bit key. 3089 }, 3090 }, 3091 }, 3092 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe 3093 "commonAlphabet": "A String", # Common alphabets. 3094 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 3095 "name": "A String", # Name describing the field. 3096 }, 3097 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm. 3098 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3099 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3100 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3101 }, 3102 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3103 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3104 }, 3105 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3106 "key": "A String", # Required. A 128/192/256 bit key. 3107 }, 3108 }, 3109 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/ 3110 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. 3111 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE 3112 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 3113 "version": "A String", # Optional version name for this InfoType. 3114 }, 3115 }, 3116 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift 3117 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. 3118 "name": "A String", # Name describing the field. 3119 }, 3120 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. 3121 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3122 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3123 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3124 }, 3125 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3126 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3127 }, 3128 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3129 "key": "A String", # Required. A 128/192/256 bit key. 3130 }, 3131 }, 3132 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. 3133 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. 3134 }, 3135 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing 3136 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. 3137 "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". 3138 "booleanValue": True or False, # boolean 3139 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3140 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3141 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3142 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3143 }, 3144 "dayOfWeekValue": "A String", # day of week 3145 "floatValue": 3.14, # float 3146 "integerValue": "A String", # integer 3147 "stringValue": "A String", # string 3148 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3149 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3150 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3151 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3152 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3153 }, 3154 "timestampValue": "A String", # timestamp 3155 }, 3156 "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". 3157 "booleanValue": True or False, # boolean 3158 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3159 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3160 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3161 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3162 }, 3163 "dayOfWeekValue": "A String", # day of week 3164 "floatValue": 3.14, # float 3165 "integerValue": "A String", # integer 3166 "stringValue": "A String", # string 3167 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3168 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3169 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3170 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3171 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3172 }, 3173 "timestampValue": "A String", # timestamp 3174 }, 3175 }, 3176 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact 3177 }, 3178 "replaceConfig": { # Replace each input value with a given `Value`. # Replace with a specified value. 3179 "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with. 3180 "booleanValue": True or False, # boolean 3181 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3182 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3183 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3184 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3185 }, 3186 "dayOfWeekValue": "A String", # day of week 3187 "floatValue": 3.14, # float 3188 "integerValue": "A String", # integer 3189 "stringValue": "A String", # string 3190 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3191 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3192 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3193 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3194 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3195 }, 3196 "timestampValue": "A String", # timestamp 3197 }, 3198 }, 3199 "replaceDictionaryConfig": { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary. 3200 "wordList": { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. 3201 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 3202 "A String", 3203 ], 3204 }, 3205 }, 3206 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype 3207 }, 3208 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction 3209 "partToExtract": "A String", # The part of the time to keep. 3210 }, 3211 }, 3212 }, 3213 ], 3214 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output. 3215 { # Configuration to suppress records whose suppression conditions evaluate to true. 3216 "condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content. 3217 "expressions": { # An expression, consisting or an operator and conditions. # An expression. 3218 "conditions": { # A collection of conditions. # Conditions to apply to the expression. 3219 "conditions": [ # A collection of conditions. 3220 { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false. 3221 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. 3222 "name": "A String", # Name describing the field. 3223 }, 3224 "operator": "A String", # Required. Operator used to compare the field or infoType to the value. 3225 "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.] 3226 "booleanValue": True or False, # boolean 3227 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3228 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3229 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3230 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3231 }, 3232 "dayOfWeekValue": "A String", # day of week 3233 "floatValue": 3.14, # float 3234 "integerValue": "A String", # integer 3235 "stringValue": "A String", # string 3236 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3237 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3238 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3239 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3240 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3241 }, 3242 "timestampValue": "A String", # timestamp 3243 }, 3244 }, 3245 ], 3246 }, 3247 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`. 3248 }, 3249 }, 3250 }, 3251 ], 3252 }, 3253 "transformationErrorHandling": { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`. 3254 "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors 3255 }, 3256 "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error 3257 }, 3258 }, 3259 }, 3260 "reidentifyTemplateName": "A String", # Template to use. References an instance of `DeidentifyTemplate`. Any configuration directly specified in `reidentify_config` or `inspect_config` will override those set in the template. The `DeidentifyTemplate` used must include only reversible transformations. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged. 3261} 3262 3263 x__xgafv: string, V1 error format. 3264 Allowed values 3265 1 - v1 error format 3266 2 - v2 error format 3267 3268Returns: 3269 An object of the form: 3270 3271 { # Results of re-identifying a item. 3272 "item": { # Container structure for the content to inspect. # The re-identified item. 3273 "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`. 3274 "data": "A String", # Content data to inspect or redact. 3275 "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8. 3276 }, 3277 "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-structured-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. 3278 "headers": [ # Headers of the table. 3279 { # General identifier of a data field in a storage service. 3280 "name": "A String", # Name describing the field. 3281 }, 3282 ], 3283 "rows": [ # Rows of the table. 3284 { # Values of the row. 3285 "values": [ # Individual cells. 3286 { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. 3287 "booleanValue": True or False, # boolean 3288 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3289 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3290 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3291 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3292 }, 3293 "dayOfWeekValue": "A String", # day of week 3294 "floatValue": 3.14, # float 3295 "integerValue": "A String", # integer 3296 "stringValue": "A String", # string 3297 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3298 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3299 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3300 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3301 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3302 }, 3303 "timestampValue": "A String", # timestamp 3304 }, 3305 ], 3306 }, 3307 ], 3308 }, 3309 "value": "A String", # String data to inspect or redact. 3310 }, 3311 "overview": { # Overview of the modifications that occurred. # An overview of the changes that were made to the `item`. 3312 "transformationSummaries": [ # Transformations applied to the dataset. 3313 { # Summary of a single transformation. Only one of 'transformation', 'field_transformation', or 'record_suppress' will be set. 3314 "field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId. 3315 "name": "A String", # Name describing the field. 3316 }, 3317 "fieldTransformations": [ # The field transformation that was applied. If multiple field transformations are requested for a single field, this list will contain all of them; otherwise, only one is supplied. 3318 { # The transformation to apply to the field. 3319 "condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85. 3320 "expressions": { # An expression, consisting or an operator and conditions. # An expression. 3321 "conditions": { # A collection of conditions. # Conditions to apply to the expression. 3322 "conditions": [ # A collection of conditions. 3323 { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false. 3324 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. 3325 "name": "A String", # Name describing the field. 3326 }, 3327 "operator": "A String", # Required. Operator used to compare the field or infoType to the value. 3328 "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.] 3329 "booleanValue": True or False, # boolean 3330 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3331 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3332 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3333 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3334 }, 3335 "dayOfWeekValue": "A String", # day of week 3336 "floatValue": 3.14, # float 3337 "integerValue": "A String", # integer 3338 "stringValue": "A String", # string 3339 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3340 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3341 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3342 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3343 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3344 }, 3345 "timestampValue": "A String", # timestamp 3346 }, 3347 }, 3348 ], 3349 }, 3350 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`. 3351 }, 3352 }, 3353 "fields": [ # Required. Input field(s) to apply the transformation to. When you have columns that reference their position within a list, omit the index from the FieldId. FieldId name matching ignores the index. For example, instead of "contact.nums[0].type", use "contact.nums.type". 3354 { # General identifier of a data field in a storage service. 3355 "name": "A String", # Name describing the field. 3356 }, 3357 ], 3358 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`. 3359 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType. 3360 { # A transformation to apply to text that is identified as a specific info_type. 3361 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`. 3362 { # Type of information detected by the API. 3363 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 3364 "version": "A String", # Optional version name for this InfoType. 3365 }, 3366 ], 3367 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. 3368 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing 3369 "buckets": [ # Set of buckets. Ranges must be non-overlapping. 3370 { # Bucket is represented as a range, along with replacement values. 3371 "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min. 3372 "booleanValue": True or False, # boolean 3373 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3374 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3375 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3376 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3377 }, 3378 "dayOfWeekValue": "A String", # day of week 3379 "floatValue": 3.14, # float 3380 "integerValue": "A String", # integer 3381 "stringValue": "A String", # string 3382 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3383 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3384 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3385 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3386 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3387 }, 3388 "timestampValue": "A String", # timestamp 3389 }, 3390 "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used. 3391 "booleanValue": True or False, # boolean 3392 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3393 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3394 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3395 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3396 }, 3397 "dayOfWeekValue": "A String", # day of week 3398 "floatValue": 3.14, # float 3399 "integerValue": "A String", # integer 3400 "stringValue": "A String", # string 3401 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3402 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3403 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3404 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3405 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3406 }, 3407 "timestampValue": "A String", # timestamp 3408 }, 3409 "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket. 3410 "booleanValue": True or False, # boolean 3411 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3412 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3413 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3414 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3415 }, 3416 "dayOfWeekValue": "A String", # day of week 3417 "floatValue": 3.14, # float 3418 "integerValue": "A String", # integer 3419 "stringValue": "A String", # string 3420 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3421 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3422 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3423 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3424 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3425 }, 3426 "timestampValue": "A String", # timestamp 3427 }, 3428 }, 3429 ], 3430 }, 3431 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask 3432 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. 3433 { # Characters to skip when doing deidentification of a value. These will be left alone and skipped. 3434 "charactersToSkip": "A String", # Characters to not transform when masking. 3435 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation. 3436 }, 3437 ], 3438 "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. 3439 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. 3440 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. 3441 }, 3442 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto 3443 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. 3444 "name": "A String", # Name describing the field. 3445 }, 3446 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. 3447 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3448 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3449 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3450 }, 3451 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3452 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3453 }, 3454 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3455 "key": "A String", # Required. A 128/192/256 bit key. 3456 }, 3457 }, 3458 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. 3459 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 3460 "version": "A String", # Optional version name for this InfoType. 3461 }, 3462 }, 3463 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto 3464 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function. 3465 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3466 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3467 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3468 }, 3469 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3470 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3471 }, 3472 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3473 "key": "A String", # Required. A 128/192/256 bit key. 3474 }, 3475 }, 3476 }, 3477 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe 3478 "commonAlphabet": "A String", # Common alphabets. 3479 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 3480 "name": "A String", # Name describing the field. 3481 }, 3482 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm. 3483 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3484 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3485 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3486 }, 3487 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3488 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3489 }, 3490 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3491 "key": "A String", # Required. A 128/192/256 bit key. 3492 }, 3493 }, 3494 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/ 3495 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. 3496 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE 3497 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 3498 "version": "A String", # Optional version name for this InfoType. 3499 }, 3500 }, 3501 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift 3502 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. 3503 "name": "A String", # Name describing the field. 3504 }, 3505 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. 3506 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3507 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3508 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3509 }, 3510 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3511 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3512 }, 3513 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3514 "key": "A String", # Required. A 128/192/256 bit key. 3515 }, 3516 }, 3517 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. 3518 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. 3519 }, 3520 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing 3521 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. 3522 "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". 3523 "booleanValue": True or False, # boolean 3524 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3525 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3526 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3527 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3528 }, 3529 "dayOfWeekValue": "A String", # day of week 3530 "floatValue": 3.14, # float 3531 "integerValue": "A String", # integer 3532 "stringValue": "A String", # string 3533 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3534 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3535 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3536 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3537 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3538 }, 3539 "timestampValue": "A String", # timestamp 3540 }, 3541 "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". 3542 "booleanValue": True or False, # boolean 3543 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3544 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3545 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3546 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3547 }, 3548 "dayOfWeekValue": "A String", # day of week 3549 "floatValue": 3.14, # float 3550 "integerValue": "A String", # integer 3551 "stringValue": "A String", # string 3552 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3553 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3554 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3555 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3556 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3557 }, 3558 "timestampValue": "A String", # timestamp 3559 }, 3560 }, 3561 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact 3562 }, 3563 "replaceConfig": { # Replace each input value with a given `Value`. # Replace with a specified value. 3564 "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with. 3565 "booleanValue": True or False, # boolean 3566 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3567 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3568 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3569 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3570 }, 3571 "dayOfWeekValue": "A String", # day of week 3572 "floatValue": 3.14, # float 3573 "integerValue": "A String", # integer 3574 "stringValue": "A String", # string 3575 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3576 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3577 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3578 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3579 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3580 }, 3581 "timestampValue": "A String", # timestamp 3582 }, 3583 }, 3584 "replaceDictionaryConfig": { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary. 3585 "wordList": { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. 3586 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 3587 "A String", 3588 ], 3589 }, 3590 }, 3591 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype 3592 }, 3593 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction 3594 "partToExtract": "A String", # The part of the time to keep. 3595 }, 3596 }, 3597 }, 3598 ], 3599 }, 3600 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. 3601 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing 3602 "buckets": [ # Set of buckets. Ranges must be non-overlapping. 3603 { # Bucket is represented as a range, along with replacement values. 3604 "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min. 3605 "booleanValue": True or False, # boolean 3606 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3607 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3608 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3609 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3610 }, 3611 "dayOfWeekValue": "A String", # day of week 3612 "floatValue": 3.14, # float 3613 "integerValue": "A String", # integer 3614 "stringValue": "A String", # string 3615 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3616 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3617 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3618 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3619 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3620 }, 3621 "timestampValue": "A String", # timestamp 3622 }, 3623 "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used. 3624 "booleanValue": True or False, # boolean 3625 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3626 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3627 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3628 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3629 }, 3630 "dayOfWeekValue": "A String", # day of week 3631 "floatValue": 3.14, # float 3632 "integerValue": "A String", # integer 3633 "stringValue": "A String", # string 3634 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3635 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3636 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3637 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3638 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3639 }, 3640 "timestampValue": "A String", # timestamp 3641 }, 3642 "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket. 3643 "booleanValue": True or False, # boolean 3644 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3645 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3646 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3647 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3648 }, 3649 "dayOfWeekValue": "A String", # day of week 3650 "floatValue": 3.14, # float 3651 "integerValue": "A String", # integer 3652 "stringValue": "A String", # string 3653 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3654 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3655 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3656 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3657 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3658 }, 3659 "timestampValue": "A String", # timestamp 3660 }, 3661 }, 3662 ], 3663 }, 3664 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask 3665 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. 3666 { # Characters to skip when doing deidentification of a value. These will be left alone and skipped. 3667 "charactersToSkip": "A String", # Characters to not transform when masking. 3668 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation. 3669 }, 3670 ], 3671 "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. 3672 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. 3673 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. 3674 }, 3675 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto 3676 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. 3677 "name": "A String", # Name describing the field. 3678 }, 3679 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. 3680 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3681 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3682 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3683 }, 3684 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3685 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3686 }, 3687 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3688 "key": "A String", # Required. A 128/192/256 bit key. 3689 }, 3690 }, 3691 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. 3692 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 3693 "version": "A String", # Optional version name for this InfoType. 3694 }, 3695 }, 3696 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto 3697 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function. 3698 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3699 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3700 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3701 }, 3702 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3703 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3704 }, 3705 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3706 "key": "A String", # Required. A 128/192/256 bit key. 3707 }, 3708 }, 3709 }, 3710 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe 3711 "commonAlphabet": "A String", # Common alphabets. 3712 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 3713 "name": "A String", # Name describing the field. 3714 }, 3715 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm. 3716 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3717 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3718 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3719 }, 3720 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3721 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3722 }, 3723 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3724 "key": "A String", # Required. A 128/192/256 bit key. 3725 }, 3726 }, 3727 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/ 3728 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. 3729 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE 3730 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 3731 "version": "A String", # Optional version name for this InfoType. 3732 }, 3733 }, 3734 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift 3735 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. 3736 "name": "A String", # Name describing the field. 3737 }, 3738 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. 3739 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3740 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3741 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3742 }, 3743 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3744 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3745 }, 3746 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3747 "key": "A String", # Required. A 128/192/256 bit key. 3748 }, 3749 }, 3750 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. 3751 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. 3752 }, 3753 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing 3754 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. 3755 "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". 3756 "booleanValue": True or False, # boolean 3757 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3758 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3759 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3760 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3761 }, 3762 "dayOfWeekValue": "A String", # day of week 3763 "floatValue": 3.14, # float 3764 "integerValue": "A String", # integer 3765 "stringValue": "A String", # string 3766 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3767 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3768 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3769 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3770 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3771 }, 3772 "timestampValue": "A String", # timestamp 3773 }, 3774 "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". 3775 "booleanValue": True or False, # boolean 3776 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3777 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3778 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3779 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3780 }, 3781 "dayOfWeekValue": "A String", # day of week 3782 "floatValue": 3.14, # float 3783 "integerValue": "A String", # integer 3784 "stringValue": "A String", # string 3785 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3786 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3787 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3788 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3789 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3790 }, 3791 "timestampValue": "A String", # timestamp 3792 }, 3793 }, 3794 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact 3795 }, 3796 "replaceConfig": { # Replace each input value with a given `Value`. # Replace with a specified value. 3797 "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with. 3798 "booleanValue": True or False, # boolean 3799 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3800 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3801 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3802 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3803 }, 3804 "dayOfWeekValue": "A String", # day of week 3805 "floatValue": 3.14, # float 3806 "integerValue": "A String", # integer 3807 "stringValue": "A String", # string 3808 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3809 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3810 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3811 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3812 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3813 }, 3814 "timestampValue": "A String", # timestamp 3815 }, 3816 }, 3817 "replaceDictionaryConfig": { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary. 3818 "wordList": { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. 3819 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 3820 "A String", 3821 ], 3822 }, 3823 }, 3824 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype 3825 }, 3826 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction 3827 "partToExtract": "A String", # The part of the time to keep. 3828 }, 3829 }, 3830 }, 3831 ], 3832 "infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType. 3833 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 3834 "version": "A String", # Optional version name for this InfoType. 3835 }, 3836 "recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to true. # The specific suppression option these stats apply to. 3837 "condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content. 3838 "expressions": { # An expression, consisting or an operator and conditions. # An expression. 3839 "conditions": { # A collection of conditions. # Conditions to apply to the expression. 3840 "conditions": [ # A collection of conditions. 3841 { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false. 3842 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. 3843 "name": "A String", # Name describing the field. 3844 }, 3845 "operator": "A String", # Required. Operator used to compare the field or infoType to the value. 3846 "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.] 3847 "booleanValue": True or False, # boolean 3848 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3849 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3850 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3851 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3852 }, 3853 "dayOfWeekValue": "A String", # day of week 3854 "floatValue": 3.14, # float 3855 "integerValue": "A String", # integer 3856 "stringValue": "A String", # string 3857 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3858 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3859 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3860 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3861 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3862 }, 3863 "timestampValue": "A String", # timestamp 3864 }, 3865 }, 3866 ], 3867 }, 3868 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`. 3869 }, 3870 }, 3871 }, 3872 "results": [ # Collection of all transformations that took place or had an error. 3873 { # A collection that informs the user the number of times a particular `TransformationResultCode` and error details occurred. 3874 "code": "A String", # Outcome of the transformation. 3875 "count": "A String", # Number of transformations counted by this result. 3876 "details": "A String", # A place for warnings or errors to show up if a transformation didn't work as expected. 3877 }, 3878 ], 3879 "transformation": { # A rule for transforming a value. # The specific transformation these stats apply to. 3880 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing 3881 "buckets": [ # Set of buckets. Ranges must be non-overlapping. 3882 { # Bucket is represented as a range, along with replacement values. 3883 "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min. 3884 "booleanValue": True or False, # boolean 3885 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3886 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3887 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3888 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3889 }, 3890 "dayOfWeekValue": "A String", # day of week 3891 "floatValue": 3.14, # float 3892 "integerValue": "A String", # integer 3893 "stringValue": "A String", # string 3894 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3895 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3896 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3897 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3898 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3899 }, 3900 "timestampValue": "A String", # timestamp 3901 }, 3902 "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used. 3903 "booleanValue": True or False, # boolean 3904 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3905 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3906 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3907 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3908 }, 3909 "dayOfWeekValue": "A String", # day of week 3910 "floatValue": 3.14, # float 3911 "integerValue": "A String", # integer 3912 "stringValue": "A String", # string 3913 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3914 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3915 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3916 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3917 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3918 }, 3919 "timestampValue": "A String", # timestamp 3920 }, 3921 "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket. 3922 "booleanValue": True or False, # boolean 3923 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 3924 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 3925 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 3926 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 3927 }, 3928 "dayOfWeekValue": "A String", # day of week 3929 "floatValue": 3.14, # float 3930 "integerValue": "A String", # integer 3931 "stringValue": "A String", # string 3932 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 3933 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 3934 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 3935 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 3936 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 3937 }, 3938 "timestampValue": "A String", # timestamp 3939 }, 3940 }, 3941 ], 3942 }, 3943 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask 3944 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. 3945 { # Characters to skip when doing deidentification of a value. These will be left alone and skipped. 3946 "charactersToSkip": "A String", # Characters to not transform when masking. 3947 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation. 3948 }, 3949 ], 3950 "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. 3951 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. 3952 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. 3953 }, 3954 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto 3955 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. 3956 "name": "A String", # Name describing the field. 3957 }, 3958 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. 3959 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3960 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3961 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3962 }, 3963 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3964 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3965 }, 3966 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3967 "key": "A String", # Required. A 128/192/256 bit key. 3968 }, 3969 }, 3970 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. 3971 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 3972 "version": "A String", # Optional version name for this InfoType. 3973 }, 3974 }, 3975 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto 3976 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # The key used by the hash function. 3977 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3978 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3979 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3980 }, 3981 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 3982 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 3983 }, 3984 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 3985 "key": "A String", # Required. A 128/192/256 bit key. 3986 }, 3987 }, 3988 }, 3989 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe 3990 "commonAlphabet": "A String", # Common alphabets. 3991 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 3992 "name": "A String", # Name describing the field. 3993 }, 3994 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Required. The key used by the encryption algorithm. 3995 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 3996 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 3997 "wrappedKey": "A String", # Required. The wrapped data crypto key. 3998 }, 3999 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 4000 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 4001 }, 4002 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 4003 "key": "A String", # Required. A 128/192/256 bit key. 4004 }, 4005 }, 4006 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/ 4007 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. 4008 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE 4009 "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. 4010 "version": "A String", # Optional version name for this InfoType. 4011 }, 4012 }, 4013 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift 4014 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. 4015 "name": "A String", # Name describing the field. 4016 }, 4017 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. 4018 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a KMS-wrapped crypto key: dlp.kms.encrypt For more information, see [Creating a wrapped key] (https://cloud.google.com/dlp/docs/create-wrapped-key). Note: When you use Cloud KMS for cryptographic operations, [charges apply](https://cloud.google.com/kms/pricing). # Key wrapped using Cloud KMS 4019 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. 4020 "wrappedKey": "A String", # Required. The wrapped data crypto key. 4021 }, 4022 "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key 4023 "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). 4024 }, 4025 "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key 4026 "key": "A String", # Required. A 128/192/256 bit key. 4027 }, 4028 }, 4029 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. 4030 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. 4031 }, 4032 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}. For example, if lower_bound = 10 and upper_bound = 20, all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing 4033 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. 4034 "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". 4035 "booleanValue": True or False, # boolean 4036 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 4037 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 4038 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 4039 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 4040 }, 4041 "dayOfWeekValue": "A String", # day of week 4042 "floatValue": 3.14, # float 4043 "integerValue": "A String", # integer 4044 "stringValue": "A String", # string 4045 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 4046 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 4047 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 4048 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 4049 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 4050 }, 4051 "timestampValue": "A String", # timestamp 4052 }, 4053 "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". 4054 "booleanValue": True or False, # boolean 4055 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 4056 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 4057 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 4058 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 4059 }, 4060 "dayOfWeekValue": "A String", # day of week 4061 "floatValue": 3.14, # float 4062 "integerValue": "A String", # integer 4063 "stringValue": "A String", # string 4064 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 4065 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 4066 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 4067 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 4068 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 4069 }, 4070 "timestampValue": "A String", # timestamp 4071 }, 4072 }, 4073 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact 4074 }, 4075 "replaceConfig": { # Replace each input value with a given `Value`. # Replace with a specified value. 4076 "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with. 4077 "booleanValue": True or False, # boolean 4078 "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date 4079 "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. 4080 "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. 4081 "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. 4082 }, 4083 "dayOfWeekValue": "A String", # day of week 4084 "floatValue": 3.14, # float 4085 "integerValue": "A String", # integer 4086 "stringValue": "A String", # string 4087 "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day 4088 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. 4089 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. 4090 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. 4091 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. 4092 }, 4093 "timestampValue": "A String", # timestamp 4094 }, 4095 }, 4096 "replaceDictionaryConfig": { # Replace each input value with a value randomly selected from the dictionary. # Replace with a value randomly drawn (with replacement) from a dictionary. 4097 "wordList": { # Message defining a list of words or phrases to search for in the data. # A list of words to select from for random replacement. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. 4098 "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] 4099 "A String", 4100 ], 4101 }, 4102 }, 4103 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype 4104 }, 4105 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction 4106 "partToExtract": "A String", # The part of the time to keep. 4107 }, 4108 }, 4109 "transformedBytes": "A String", # Total size in bytes that were transformed in some way. 4110 }, 4111 ], 4112 "transformedBytes": "A String", # Total size in bytes that were transformed in some way. 4113 }, 4114}</pre> 4115</div> 4116 4117</body></html>