CODEWITHSUNDEEP
google-cloud-platform
Nicolas Dobler
Nicolas Dobler

Reputation: 29

Limit google account to use ONLY big query

My organization wants to limit the GCP services any user can use. For example we only want to allow the usage of Big Query. Is there a way to contract GCP in a way that even the top account (or tenant, organization or whatever) can't instantiate anything besides Big Query? Thanks

Upvotes: 2

Views: 82

Answers (2)

Sergiusz
Sergiusz

Reputation: 1235

As suggested by Jack, you can create a group that grants access only to BigQuery, place all users in that group and grant them no extra permissions.
But you must have at least one project owner account that can do anything in that project.

If you want to secure your organization even further, you can do the following:

  • Limit the amount of services that can be activated using quotas
  • Monitor actions performed by users with Audit Logs
  • Set up alerts that will notify you when certain services are activated

Upvotes: 2

Jack Wotherspoon
Jack Wotherspoon

Reputation: 1979

I would recommend maybe trying the following. Basically you want to create a group and apply the proper Big Query roles to the group which will then be inherited by all members of the group. Google allows you to create a "company" group that you can have set to auto-add all current/new users of your organization to.

Take the following steps.

  1. Create a "Company" group by following this article. Make sure to set it up so that current and new users of organization will be added. (if you don't want this then just create a group and add in the users necessary)
  2. In GCP, add the corresponding Big Query roles you want to have applied to all your organization's members to the single group.

Upvotes: 3

Related Questions