Rinu Goldgin Dhanaraj

Software Consultant

Google Cloud – CloudIAM

Overview of Identity & Access Management

IAM is about managing WHO has access to WHAT and the RESOURCES. Who could be an user/group/org, where as what they can do is about their privileges and what resources/services they can consume.

Cloud IAM Objects

  • Organization
    • root node in the hierarchy 
    • Org Roles
      • org admin
        • control over all cloud resources – super user
      • project creator
        • controls project creation within the org
        • Org resources
  • Folders
    • represents multiple departments within an org
    •  
  • Projects
    • Each Dept can have one or more than one projects associated with them
    • Each dept can have one or more projects within the folder.
      • this provides clear demarcation of roles within the dept
      • and granular delegation of access
      • eg ORG
        • DEPT-1
          • Proj1-D1
          • Proj2-D1
        • DEPT-2
          • Proj1-D2
    •  
  • Resources
    • individual resources / services aligned to each projects
  • Roles
    • Resource Manager Roles & Scope
      • Org
        • Admin
        • Viewer
      • Folder
        • Admin
        • Creator
        • Viewer
      • Project
        • Creator
        • Deleter
    • IAM Role Types
      • Primitive
        • Default available roles
        • Primitive roles have coarse-grained level of access
          • Viewer
            • Read only access
          • Editor
            • Includes view access +
            • Deploy, Modify & Configure services
          • Owner
            • Includes Editor access +
            • full admin access
      • Pre-defined
        • The predefined roles apply to a specific GCP service in a project
        • These roles are not abstract
        • Compute Admin
          • full control of all compute engine 
            • eg compute.*
        • Network Admin
          • To create/modify/delete all network services
          • Firewall rules & SSL certs not part of network admin role
        • Storage Admin
          • create/modify/delete all images, snapshots services
      • Custom 
        • Provides layer of abstraction and can be controlled
  • Members

Create & Manage Orgs

  • Orgs are created when a G Suite / Cloud Identity creates a GCP Project
    • Super Admin – Cloud Identity & G Suite
      • Assign org admin
      • poc for recovery
      • controls the lifecycle of Cloud Identity & G Suite
    • Org Admin
      • define IAM policies
      • determine structure & resource hierarchy
      • delegate – component (networking, billing etc) access through IAM roles
    • Ideal to have the org admin and super admin assigned to different individuals

 

Notes

  1. Child policies cannot restrict access granted at the parent level
  2. Each child can have only one parent
  3. Resource hierarchy changes then policy hierarchy changes.
  4. Best practice
    1. assign policy at the lower level
Previous Article
Copyright © 2026 Rinu Goldgin Dhanaraj All Right Reserved. Online CV Resume Theme By eDataStyle . Proudly powered by WordPress .