You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Default setup is today with 2 roles on organization domain level:
roles/browser
roles/resourcemanager.organizationViewer
Browser gives the following permissions:
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Organization viewer gives the following permissions:
resourcemanager.organizations.get
The right resourcemanager.organizations.get is in both. In this example the Organization Viewer right is redundant. It is not clear from the name that it contains both so from that perspectice I understand why both are applied.
There is another discussion about the default rights.
It can be discussed if getIamPolicy is something that all users should have. Folder Viewer may contain a better set of permissions.
Have not seen any recommendation on what permissions to give on organization level from Google. Except least privilige.
If Folder Viewer is used then Organization Viewer is needed.
You're right, the roles assigned to domain users are in overlap and it probably stems from the fact many users remove the browser role, and only keep organization viewer. +1 to removing organization viewer, I would maybe also add a comment to point out that it might be a sensible default if no other roles are given. Would you care sending a PR?
Folder admin is granted to org admins to allow them to effectively manage folders. We default to "open" permissions for org admins as those are usually tightened up progressively after install. They can anyway self-assign pretty much anything via the org admin role, so it's not that big of a difference in terms of actual security.
I can try to send a PR later if I get the time to register myself.
We can discuss permissions for a long time, but I agree, difference in terms of actual security is not so big. And it most likely will be something that you should change when implementing. Still, nice that the baseline is secure as it can get right out of the box
Hi
Default setup is today with 2 roles on organization domain level:
roles/browser
roles/resourcemanager.organizationViewer
Browser gives the following permissions:
Organization viewer gives the following permissions:
The right resourcemanager.organizations.get is in both. In this example the Organization Viewer right is redundant. It is not clear from the name that it contains both so from that perspectice I understand why both are applied.
There is another discussion about the default rights.
It can be discussed if getIamPolicy is something that all users should have. Folder Viewer may contain a better set of permissions.
Have not seen any recommendation on what permissions to give on organization level from Google. Except least privilige.
If Folder Viewer is used then Organization Viewer is needed.
References, doc & TF:
https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/blob/master/fast/stages/00-bootstrap/IAM.md
https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/blob/master/fast/stages/00-bootstrap/organization.tf
Cheers and keep up the good work
The text was updated successfully, but these errors were encountered: