GSP Members Flashcards
How many different types of members are there in GC
There are five different types of members: Google Accounts, Service Accounts, Google Groups, Google Workspace domains, and Cloud Identity domains.
Google account
Google account represents a developer, an administrator, or any other person who interacts with Google Cloud. Any email address that is associated with a Google account can be an identity
Service account
is an account that belongs to your application instead of to an individual end user.
When you run code that is hosted on Google Cloud, you specify the account that the code should run as.
You can create as many service accounts as needed to represent the different logical components of your application.
Google group
is a named collection of Google accounts and service accounts.
Every group has a unique email address that is associated with the group.
Google groups are a convenient way to apply an access policy to a collection of users.
A Workspace domain
represents a virtual group of all the Google accounts that have been created in an organization’s Workspace account.
Workspace domains represent your organization’s internet domain name, such as example.com, and when you add a user toyour Workspace domain, a new Google account is created for the user inside this virtual group, such as username@example.com.
Cloud Identity VS IAM
Cloud Identity are users, IAM is what users can do.
You use Cloud Identity or Workspace to create and manage users and IAM to assign roles and permissions????
A policy
is a collection of access statements attached to a resource.
resource policies are a union of parent and resource, where a less restrictive parent policy will always override a more restrictive resource policy.
child policies cannot restrict access granted at the parent level.
recommender
You can also use a recommender for role recommendations to identify and remove excess permissions from your principals, improving your resources’ security configurations.
Recommender identifies excess permissions using policy insights.
Deny policies
are made up of deny rules.
With deny policies, you can define deny rules that prevent certain principals from using certain permissions, regardless of the roles they’re granted.
IAM priorities
IAM always checks relevant deny policies before checking relevant allow policies.
IAM Conditions
grant resource access to identities (members) only if configured conditions are met.
For example, this could be done to configure temporary access for users in the event of a
production issue or to limit access to resources only for employees making requests from your corporate office.
Google Cloud Directory Sync
synchronizes users and groups from your existing Active Directory or LDAP system with the users and groups in your Cloud Identity domain.
The synchronization is one-way only; which means that no information in your Active Directory or LDAP map is modified.
