Enterprises running workloads on Google’s cloud platform now have a way to enforce more granular polices for controlling user access to business data.
The company on Oct. 3 announced the beta release of custom roles for Cloud Identity and Access Management, a feature that gives administrators more than 1,280 ways to grant users permissions to data and resources on Google’s cloud.
Administrators can use the feature to enforce the principle of least privilege for users with custom roles or roles that are not predefined, Google product manager Rohit Khare said in a blog.
For instance with custom roles, an administrator could give an auditor access to a database in order to collect audit-related data, but prevent the auditor from being able to actually read that data or take any other action with it.
Similarly, organizations can use custom roles to grant and manage permissions during projects, or during testing and maintenance related tasks when users may need access to specific resources that they may not typically require in their usual roles.
Custom roles complement the existing support for role-based access control in Google Cloud IAM, Khare said.
IAM offers support for what Google calls primitive roles and predefined roles. Primitive roles offer less granular access control than predefined and custom roles. It basically allows an administrator to assign users the role of ‘owner,’ ‘editor’ or a ‘viewer’. A user assigned the ‘owner’ role will have the most access, while an individual assigned a viewer role will have the least access to enterprise data and resources on Google Cloud Platform.
Predefined rules give administrators a way to implement more fine-grained control than primitive roles, according to Google. Administrators can choose from over 100 pre-defined roles when deciding what level of access to grant a specific user. A single user can have multiple roles that offer varying levels of access to data and resources.
For example, a user who is part of a project can have the role of a Network Administrator, a Log Viewer and a Publisher at the same time according to Google.
“Predefined rules combine a curated set of permissions necessary to complete different tasks across GCP,” Khare said. In many cases, people assigned a predefined role already have permissions to access all the services they require on Google Cloud Platform, he said.
Custom roles in Cloud IAM basically offer administrators more granularity than primitive and predefined access. Unlike predefined roles, administrators have total control over when to add, grant or revoke permissions for people assigned custom roles. This means, it is up to organizations to track all the permissions associated with a custom role and ensure those permissions are tweaked or updated as needed, Khare said.
In announcing beta availability of custom roles, Google this week also laid out step-by-step instructions on how organizations can get started creating and managing such roles in Cloud IAM. “Security administrators now have the power to publish policies as precise as granting a single user just one permission on a resource—or on whole folders full of projects,” Khare noted.