Reputation: 1
Deny to revoke roles from <User.Group.0*> groups for everyone except Admin team
I need to create a Google Org Policy that would prohibit revoking bound roles only for specific PrincipalSet (Group): User.Group.0* in IAM at the organisation level, but allow it for PrincipalSet (Group): Admin Group
In other words, what would protect UserGroup0* groups from being able to revoke their bound roles in IAM by someone other than administrators. I.e. even UserGroup0* members with rights could not revoke roles, only Admin Group.
Can I implement this through Google Org Policy? Is it possible to write such a condition?
Or to implement this scenario, would I be better off creating a deny policy in IAM and deny everyone except PrincipalSet (Group): Admin Group? from using role management rights.
I have tried to write a condition that describes my scenario, but I lack the knowledge and understanding to do so.
Here is my policy:
That's my condition:
resource.bindings.all(binding, binding.members.all(member,!(MemberSubjectStartsWith(member, ['group:User.Group.0']) && !(authorizer.principal == 'group:[email protected]'))))
Upvotes: 0
Views: 8
Answers (0)
Related Questions
- Forbidden Error with Google Cloud Storage When Using Tokens from Workload Identity Federation with Descope
- Unable to deploy GCP Cloud Function after specifying IAM Condition
- Permission denied adding a member to a group in Google Cloud Console
- GCP: List members of all groups in an organization using gcloud CLI, output to BigQuery
- Multiple questions re using Google Endpoints Identity-Aware Proxy to authenticate G Suite users for a B2B app hosted on GCP
- Assign IAM roles to GSuite admin console groups
- Google Cloud: deny access to a single file in a given bucket