8

I checked the IAM & admin in the GCP console UI. I have two roles: (Company name) Project Owner and Editor. The member is my company email address.

enter image description here

But when I try to edit(the edit button) other people's roles and permissions, I got below message:

You need permissions for this action. Required permission(s): resourcemanager.projects.setIamPolicy

My (Company name) Project Owner role is granted by the project manager. It seems I only have Editor role permission.

Update

I have an organization like this:

company.com

  • project_a
  • project_b

For project_b, I have the roles described above and meet this issue.

When I check the Over granted permissions(click 1489/1601) of (Company name) Project Owner, I got this:

There is no recommendation available at this time for this binding. However, you do not have permission to view the analysis of the current role definition.

enter image description here

But I can check Over granted permissions for Editor Role. I can only give as much information as I can

John Hanley
  • 74,467
  • 6
  • 95
  • 159
Lin Du
  • 88,126
  • 95
  • 281
  • 483
  • 1
    Is "Project Owner" a custom role? Iirc, GCP Owner role is called just "Owner", and not "Project Owner". The "Project Owner" might be a custom role that your project manager has defined. – AMargheriti Jan 16 '20 at 13:12
  • @AMargheriti I am not sure, can you give me a documentation link for this? How should I know I am a custom role? – Lin Du Jan 16 '20 at 13:18
  • Sure, have a look here: https://cloud.google.com/iam/docs/creating-custom-roles#editing_an_existing_custom_role. If "Project Owner" shows up in that custom role list, it's likely that that's the issue. – AMargheriti Jan 16 '20 at 13:27
  • 1
    Provide more details. This looks like you have an organization. This permission is part of `OrganizationAdmin`. If you are in an organization, then you will not have this role and therefore no permission. – John Hanley Jan 16 '20 at 15:26
  • @JohnHanley Yes, it is. Updated the question. – Lin Du Jan 16 '20 at 15:38
  • 1
    You do not have that permission. That is the purpose of an Organization. You control the project resources but do not control `who` can access those resources. If you want that permission, request the `OrganizationAdmin` role or a custom role that includes that permission. Only the OrganizationAdmin can grant that permission to you. – John Hanley Jan 16 '20 at 15:52

2 Answers2

10

As mentioned in the comments, Project Owner is not one of the Primitive Roles for projects in GCP. It's most likely that Project Owneris a Custom Role created to provide access to users in your Organization.

The permission resourcemanager.projects.setIamPolicyis only contained in the following Roles:

  • Primitive Roles:
    • Owner (roles/owner)
  • Predefined Roles:
    • Security Admin (roles/iam.securityAdmin)
    • Folder Admin (roles/resourcemanager.folderAdmin)
    • Organization Administrator (roles/resourcemanager.organizationAdmin)
    • Project IAM Admin (roles/resourcemanager.projectIamAdmin)

You can learn more about which permissions are included with every of these roles in the Cloud IAM Documentation. I would suggest to ask an Organization Administrator to assign the role Project IAM Admin to your user, as this role is very specific to provide permissions to administer Cloud IAM policies on projects only. They could also add the individual roles to the custom Project Owner role, and this would allow anyone in the organization who has the role assigned to manage IAM policied within their projects.

Judith Guzman
  • 415
  • 3
  • 11
0

There are a few things happening here:

1. (Company name) Project Owner is a custom role saved on the Organization node. You need to either have roles/iam.roleViewer or roles/iam.securityReviewer on that custom role in order to see its details, such as the number of permissions.

  1. It's greyed out because there is no recommendation. This can be because of one of these reasons

Hi, there are a few things happening here:

1. (Company name) Project Owner is a custom role saved on the Organization node. You need to either have roles/iam.roleViewer or roles/iam.securityReviewer on that custom role in order to see its details, such as the list of permissions.

  1. It's greyed out because there is no recommendation. This can be because of one of these reasons: https://cloud.google.com/iam/docs/recommender-overview#availability

Hope that helps!

Abhi Yadav
  • 1
  • 1
  • 2
    It seems like your answer got duplicated. I'm not sure which version you want to keep, or I'd edit it myself. Do you mind editing your answer to just include the copy you want? – Jeremy Caney May 21 '20 at 00:48