google-cloud-platformgoogle-iam

GCP IAM - Policy inheritance/precedence


According to the documentation which says

Child policies cannot restrict access granted at a higher level. For example, if you grant the Editor role to a user for a project, and grant the Viewer role to the same user for a child resource, then the user still has the Editor role grant for the child resource.

Does it also mean that if I assign a user restrictive access at higher level but assign more permissive access at resource level, that user will have more permissive access? In other words, more permissive policy will override restrictive policy no matter what at which level more permissive policy is granted at?

Example:


Grant UserA viewer role for a project but assign Editor role at resource level, UserA will have editor level access to the resource?


Solution

  • Does it also mean that if I assign a user restrictive access at higher level but assign more permissive access at resource level, that user will have more permissive access?

    Yes.

    In other words, more permissive policy will override restrictive policy no matter what at which level more permissive policy is granted at?

    Do not think of it has overriding. Think of it as you are granting additional privileges.

    Grant UserA viewer role for a project but assign Editor role at resource level, UserA will have editor level access to the resource?

    Correct, UserA will have editor level for the resource.

    Think of the hierarchy being Organization / Folders / Projects / Resources. If you have permissions at a higher level, you have at least those permissions at a lower level. This is similar to a company's organization. If you are V.P. of division (project) you are still V.P. for each group (resource) under that division. The opposite also works. You are a team member for the organization (project Viewer) but you are the manager for one group (compute resources Editor) and just a project Viewer for other resources.