According to the documentation which says
Child policies cannot restrict access granted at a higher level. For example, if you grant the Editor role to a user for a project, and grant the Viewer role to the same user for a child resource, then the user still has the Editor role grant for the child resource.
Does it also mean that if I assign a user restrictive access at higher level but assign more permissive access at resource level, that user will have more permissive access? In other words, more permissive policy will override restrictive policy no matter what at which level more permissive policy is granted at?
Grant UserA viewer role for a project but assign Editor role at resource level, UserA will have editor level access to the resource?
You can set Identity and Access Management (IAM) policies at different levels of the resource hierarchy. Resources inherit the policies of the parent resource. The effective policy for a resource is the union of the policy set at that resource and the policy inherited from its parent.
Example: Policy with conditional role binding Access control for Google Cloud resources is managed by IAM policies, which are attached to resources. You can attach only one IAM policy to each resource. The IAM policy controls access to the resource itself, as well as any descendants of that resource that inherit the policy.
The IAM policy controls access to the resource itself, as well as any descendants of that resource that inherit the policy. This page shows IAM policies in JSON format. You can also use the gcloud command-line tool to retrieve policies in YAML format.
What Is Cloud IAM In GCP? Cloud IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources. Cloud IAM lets you adopt the security principle of least privilege, where you grant only necessary permissions to access specific resources.
Does it also mean that if I assign a user restrictive access at higher level but assign more permissive access at resource level, that user will have more permissive access?
Yes.
In other words, more permissive policy will override restrictive policy no matter what at which level more permissive policy is granted at?
Do not think of it has overriding. Think of it as you are granting additional privileges.
Grant UserA viewer role for a project but assign Editor role at resource level, UserA will have editor level access to the resource?
Correct, UserA will have editor level for the resource.
Think of the hierarchy being Organization / Folders / Projects / Resources. If you have permissions at a higher level, you have at least those permissions at a lower level. This is similar to a company's organization. If you are V.P. of division (project) you are still V.P. for each group (resource) under that division. The opposite also works. You are a team member for the organization (project Viewer) but you are the manager for one group (compute resources Editor) and just a project Viewer for other resources.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With