1

I am listed as MANAGER in a group that I am managing on a Google Cloud Platform organisation via the IAM Groups interface on https://console.cloud.google.com/iam-admin/groups.

But they delete icon is greyed out, and displaying a message:

You need the following permissions to be granted by a group administrator for this action: Required permission(s): cloudidentity.memberships.remoMemberRole

The message links to a documentation, that has no helpful information nor mentions the problem described in the message.

AFAIK, as a manager of a group, one should be able to add and remove members.

Can you help me fix or explain this issue?

Screenshot of the problem

Overbryd
  • 4,612
  • 2
  • 33
  • 33
  • 1
    Are you organization's administrator? From this messege you are missing `cloudidentity.memberships.remoMemberRole`. It might be took off from you due to less privilage rule and only owner can do it. If you will enter [this link](https://support.google.com/a/answer/10284003?hl=en) you have information that you `have` or you `don't have` proper permissions? Also could you ask your Organization's administrator to add you `cloudidentity.memberships.remoMemberRole`? – PjoterS Nov 29 '21 at 10:01
  • Thanks @PjoterS for having a look. So I want to clarify, since this does not match my perception of the role "MANAGER" on such groups. In my point of view, the MANAGER of a Google Group should be able to add or remove members of this group. In the case of the screenshot above, I am MANAGER of that group. – Overbryd Nov 29 '21 at 12:18
  • Correct me if I am wrong, I do not have to be Organization Administrator to add or remove members from a Group in which I am setup as MANAGER. I can add members to the group. But I cannot remove members from the group. What is the point of the MANAGER role in a group, when the manager can only add members? Because if I switch myself to be the OWNER of the group, I can add, remove members BUT I can also delete the group itself. And that is where I thought MANAGER comes into play. A manager should add/remove members, but not be able to delete the group itself. – Overbryd Nov 29 '21 at 12:21
  • Did you enable `Groups for Business` in `Admin Console`? Did you create this group or were you added later by someone? Per [Assign roles to a group's members](https://support.google.com/a/answer/167094?hl=en#zippy=%2Cmanager) Document, `Manager` should have this permission by default and should be able to remove and add users to the group. Roles with `cloudidentity` are not available in IAM as per [this docs](https://cloud.google.com/iam/docs/groups-in-cloud-console#group-permissions). Maybe the Group owner revoked this one specific permission using the Admin Console? – PjoterS Nov 29 '21 at 14:04
  • @PjoterS I see. So the group was created by a special service account, who is assigned Groups Admin in Google Workspace. The service account then appoints individuals as `Manager`. Yes, I am under the same impression, `Manager` should have the permission to add and remove users of a group by default. However, the group owner did nothing to revoke or alter these rights. Do you know how I can inspect the API for any problems with the group and group membership being created there? – Overbryd Nov 30 '21 at 08:10
  • This issue got resolved. It was an UI bug and got fixed by the Cloud Console team. I can no longer reproduce it. See my answer. – Overbryd Mar 15 '22 at 12:23

1 Answers1

2

This issue got resolved. It was an UI bug and got fixed by the Cloud Console team. I can no longer reproduce it.

Overbryd
  • 4,612
  • 2
  • 33
  • 33