Why does a new G Suite user has access to all GCP resources by default and how to restrict this access?
Question
I have G Suite account, say example.com and I add a new user called user1@example.com. Now this user logs into GCP (Google Cloud Platform) console and he has access to all resources under example.com organization. No roles have been assigned to this user using Cloud IAM and no specific policies are defined.
It is expected that user1@example.com by default doesn't have any access to resources under GCP till some role is assigned
1 answers
solution1
0 ACCPTED 2019-07-05 18:45:01
In this question, the problem is caused by having the Cloud IAM member type "domain:" added as a member assigned with Project Owner role. Everyone in the same domain inherits the permissions assigned to the domain member.
For clarity, you have the domain name example.com . If you add the IAM member domain:example.com to Cloud IAM, everyone that has an email address, eg someone@example.com will inherit the permissions assigned to domain:example.com automatically.
The domain member requires that the email addresses are managed by either G Suite or Cloud Identity.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.