2

When testing the following scenario:

  • group-a@company.com

    • member: user@company.com

  • role-group-b@company.com

    • member: group-a@company.com

  • Project: foo-bar-af09

    • IAM Membership

      • Role: roles/browser

      • Member: role-group-b@company.com

Documentation of groups-to-groups memberships: https://support.google.com/a/answer/167100?hl=en

Child group members inherit some permissions from parent groups

Now when checking the user user@company.com has no rights to view the project foo-bar-af09 as he is missing the roles/browser IAM role.

Although: user@company.com is member of group-a@company.com which is in turn member of role-group-b@company.com.

What exactly is going wrong here, and how to fix this issue?

Can you reproduce the same problem in your Google Cloud account?

When checking the documentation, such inheritance should be possible and I suspect a bug maybe? Any help or hints on this issue are highly appreciated.

Overbryd
  • 4,612
  • 2
  • 33
  • 33
  • I found _one_ possible issue with this matter, in order to perform a policy analysis of the members of a group, the principal invoking the inquiry to the Policy Analyser must have the permission to 1) read the group and 2) read the list of members of the group. See also: https://cloud.google.com/asset-inventory/docs/analyzing-iam-policy?hl=en#gsuite-permissions So it is possible to get false-positive results from Policy Analyser in this case without a warning. – Overbryd Dec 03 '21 at 15:44
  • have you tried [Policy Troubleshooter](https://cloud.google.com/iam/docs/troubleshooting-access)? – rriovall Dec 03 '21 at 21:47
  • The support doc you linked is for workspace, you need to be looking at gcp and IAM documentation. They are describing workspace products: "If a Google Docs file is shared with a parent group, child group members can also access the doc." – dany L Dec 05 '21 at 00:26
  • Thanks, I will try "Policy Troubleshooter" and try to read up on the respective IAM documentation. So Cloud Identity Groups (AFAIK which are backed by Workspace groups) should also inherit permissions to all members, including members of sub-groups. – Overbryd Dec 06 '21 at 12:44

0 Answers0