{"id":6365,"date":"2020-04-17T15:11:22","date_gmt":"2020-04-17T08:11:22","guid":{"rendered":"http:\/\/gcloudvn.wam.vn\/nhan-dang-va-quan-ly-truy-cap-tren-google-cloud\/"},"modified":"2023-04-21T10:04:20","modified_gmt":"2023-04-21T03:04:20","slug":"achieving-identity-and-access-governance-on-google-cloud","status":"publish","type":"post","link":"https:\/\/gcloudvn.com\/en\/kienthuc\/achieving-identity-and-access-governance-on-google-cloud\/","title":{"rendered":"Achieving identity and access governance on Google Cloud"},"content":{"rendered":"<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">When businesses shift from solely on-premises deployments to using cloud-based services, identity management can become more complex. This is especially true when it comes to <\/span><span style=\"font-weight: 400;\">hybrid and <\/span><span style=\"font-weight: 400;\">multi-cloud identity management.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Cloud Identity and Access Management (IAM) offers several ways to manage identities and roles in Google Cloud. One particularly important identity management task is identity and access governance (IAG): ensuring that your identity and access permissions are managed effectively, securely, and correctly. A major step in achieving IAG is designing an architecture that suits your business needs and also allows you to satisfy your compliance requirements. To manage the entire enterprise identity lifecycle you must consider the following core tasks:<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">User provisioning and de-provisioning<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Single sign-on (SSO)<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Access request and role-based access control (RBAC)<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Separation of duties (SoD)<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Reporting and access reviews<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">In this post, we\u2019ll discuss these tasks to show how you can achieve effective identity and access governance when using Google Cloud.<\/span><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_80 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewbox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewbox=\"0 0 24 24\" version=\"1.2\" baseprofile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/achieving-identity-and-access-governance-on-google-cloud\/#User_cung_cap_va_ngung_cung_cap\" >User provisioning and deprovisioning<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/achieving-identity-and-access-governance-on-google-cloud\/#Neu_ban_su_dung_Active_Directory_hoac_LDAP_tai_to_chuc_cua_ban_nhu_mot_noi_nhan_dang_tap_trung\" >If you\u2019re using an on-premises Active Directory or LDAP directory as a centralized identity store<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/achieving-identity-and-access-governance-on-google-cloud\/#Neu_ban_chu_yeu_quan_ly_vong_doi_nguoi_dung_bang_mot_giai_phap_quan_ly_danh_tinh_khac\" >If you primarily manage the user lifecycle with another identity management solution<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/achieving-identity-and-access-governance-on-google-cloud\/#Neu_ban_su_dung_he_thong_quan_ly_danh_tinh_theo_dang_tu_phat_trien\" >If you\u2019re using a home-grown identity management system<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/achieving-identity-and-access-governance-on-google-cloud\/#Single_sign-on\" >Single sign-on<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/achieving-identity-and-access-governance-on-google-cloud\/#Yeu_cau_truy_cap_va_kiem_soat_truy_cap_dua_tren_vai_tro\" >Access request and role based access control<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/achieving-identity-and-access-governance-on-google-cloud\/#Phan_tach_nhiem_vu\" >Separation of duties<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/achieving-identity-and-access-governance-on-google-cloud\/#Bao_cao_va_truy_cap_danh_gia\" >Reporting and access reviews<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/achieving-identity-and-access-governance-on-google-cloud\/#De_tat_ca_chung_cung_nhau\" >Putting it all together<\/a><\/li><\/ul><\/nav><\/div>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"User_cung_cap_va_ngung_cung_cap\"><\/span><strong>User provisioning and deprovisioning<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Let\u2019s start at the very beginning. <a href=\"https:\/\/gcloudvn.com\/en\/google-cloud-platform\/\">Google Cloud<\/a> offers several ways to onboard users. Cloud Identity is a centralized hub for Google Cloud and G Suite to define, setup, and manage users and groups\u2014think of Cloud Identity as a provisioning and authentication solution, whereas Cloud IAM is principally an authorization solution. Once they\u2019re onboarded, you\u2019ll be able to assign permissions to these users and groups in Google Cloud IAM to allow them access to resources.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Depending on your specific system of record, there are several scenarios to consider.<\/span><\/p>\n<h3 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Neu_ban_su_dung_Active_Directory_hoac_LDAP_tai_to_chuc_cua_ban_nhu_mot_noi_nhan_dang_tap_trung\"><\/span><b>If you\u2019re using an on-premises Active Directory or LDAP directory as a centralized identity store<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">This is the most common pattern for provisioning in enterprises. If your organization has a centralized directory server for provisioning all your users and groups, you can use that as a source of truth for C<\/span><span style=\"font-weight: 400;\">loud Identity<\/span><span style=\"font-weight: 400;\">. Usually an enterprise provisioning solution connects the identities from the source of truth (HRMS or similar systems) to directories, so joiner, mover, and leaver workflows are already in place.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">To integrate an on-prem directory, Google offers a service called Google Cloud Directory Sync, which lets you synchronize users, groups, and other user data from your centralized directory service to Google Cloud domain directory (Cloud Identity uses Google Cloud domain directory). Cloud Directory Sync can synchronize user status, groups, and group memberships. If you do this, you can base your Google Cloud permissions on Active Directory (AD) groups.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">You can also run Active Directory in the cloud using a managed Active Directory service. You can use the managed AD service to deploy a standalone domain in multiple regions for your cloud-based workloads or connect your on-premises Active Directory domain to the cloud. This solution is recommended if:<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">You have complex Windows workloads running in Google Cloud that need tight integration with Active Directory for user and access needs.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">You will eventually completely migrate to Google Cloud from your on-premises environment. In this case, this option will require minimal changes to how your existing AD dependencies are configured.<\/span><\/li>\n<\/ul>\n<h3 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Neu_ban_chu_yeu_quan_ly_vong_doi_nguoi_dung_bang_mot_giai_phap_quan_ly_danh_tinh_khac\"><\/span><b>If you primarily manage the user lifecycle with another identity management solution<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">In this example, you don\u2019t have a directory as a central hub. Instead you\u2019re using a real-time provisioning solution like Okta, Ping, SailPoint, or others to manage the user lifecycle. These solutions provide a connector-based interface\u2014usually referred to as an \u201capplication\u201d or \u201capp\u201d\u2014that uses Cloud Identity and<\/span><a href=\"https:\/\/developers.google.com\/admin-sdk\/directory\/v1\/guides\/manage-users\" target=\"_blank\" rel=\"nofollow noopener\"><span style=\"font-weight: 400;\"> User Management<\/span><\/a> <span style=\"font-weight: 400;\">APIs to manage users and group memberships.<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Joiner, mover, and leaver workflows are managed directly from these solutions. The Cloud Identity account is disabled as soon as a termination event is processed by the leaver workflow, as is the user\u2019s access to Google Cloud. In the case of a mover workflow, when users change job responsibility, the change is reflected in their Cloud Identity group membership which defines their new Google Cloud permissions.<\/span><\/p>\n<h3 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Neu_ban_su_dung_he_thong_quan_ly_danh_tinh_theo_dang_tu_phat_trien\"><\/span><b>If you\u2019re using a home-grown identity management system<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Custom, home-grown identity systems are most commonly found when an organization\u2019s complexity can\u2019t be handled by an off-the-shelf product or when an organization wants greater flexibility than a commercial product can provide. In this case, the simplest option is to use a directory. You can interface with Cloud Identity using an LDAP compliant directory system. Users and groups provisioned via your custom identity management system can be synchronized to Cloud Identity using Cloud Directory Sync without having to write a custom provisioning solution for Cloud Identity.<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Single_sign-on\"><\/span><strong>Single sign-on<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Single sign-on (SSO) allows you to access applications without re-authenticating or maintaining separate passwords. Authorization usually comes in as a second layer to make sure authenticated users are permitted to access a given resource. As with user provisioning and de-provisioning, how you use SSO depends on your environment:<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"font-weight: 400;\"><b>SSO when using G Suite with Google Authentication.<\/b><span style=\"font-weight: 400;\"> In this case, no special changes are required when signing in to Google Cloud. Both Google Cloud and G Suite (<a href=\"https:\/\/gcloudvn.com\/en\/google-workspace\/\"><strong>Google Workspace customers<\/strong><\/a>) all use the same login, as long as access is provided, the user will be able to log in to the Google Cloud console using the regular login.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>SSO when using G Suite with a third-party identity management solution<\/b><span style=\"font-weight: 400;\">. If G Suite sign-on has already been enabled, Google Cloud sign-on will also work. If a new G Suite and Google Cloud domain has been established, then you can create a new SAML 2.0-compliant integration using Cloud Identity with your identity management provider. For example, Okta and OneLogin provide a configurable SAML 2.0 integration using their out-of-the-box app.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>SSO when using an on-premises identity solution<\/b><span style=\"font-weight: 400;\">. Cloud Identity controls provisioning and authentication for Google Cloud, and provides a way to configure a SAML 2.0 compliant integration with your on-premises identity provider.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>SSO when using a multi-cloud model<\/b><span style=\"font-weight: 400;\">. When using multiple cloud service providers, you can use Cloud Identity or invest in a 3P identity provider to have a single source of truth for identities.<\/span><span style=\"font-weight: 400;\">.<\/span><\/li>\n<\/ul>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Yeu_cau_truy_cap_va_kiem_soat_truy_cap_dua_tren_vai_tro\"><\/span><b>Access request and role based access control<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">For Google Cloud, the \u201cproject\u201d is a top-level entity that hosts resources and workloads. Google Cloud relies on users\/groups to determine role memberships used to provide access to projects. For easier organization and to maintain separation of control, projects can be grouped into folders and access permissions can be granted at the folder level, but the principle remains the same. There are several roles in Google Cloud based on workload. For example, if you use BigQuery, you will assign predefined roles such as BigQuery Administrator, Data Editor <a href=\"https:\/\/gcloudvn.com\/en\/bigquery\/\">BigQuery<\/a> or BigQuery User for users. Best practice is to always assign roles to Google Groups.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Google Groups are synchronized from your directory environment or from your identity management solution into Cloud Identity. Again, think of Cloud Identity as your authentication system and Cloud IAM as your authorization system. These groups can be modeled based on project requirements and then be exposed in your identity management system. They can then be requested by the end user or assigned automatically based on their job requirements using enterprise roles.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">One way to structure your Google Cloud organization to separate workloads is to set up folders that mirror your organization\u2019s business structure and match them to how you grant access to different teams within your organization:<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">A top level of folders reflects your lines of business (LOB)<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Under a LOB folder you would have folders for departments<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Under departments you would have folders for teams<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Under team folders you would have folders for product environments (e.g., DEV, TEST, STAGING, and PROD)<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">With this structure in place, you would model Active Directory or identity management provider groups for access control based on this hierarchy, assign them based on roles, or expose them for access request\/approval. You should also have <\/span><span style=\"font-weight: 400;\">\u201cbreak glass\u201d account<\/span><span style=\"font-weight: 400;\">request procedures and the pre-approved roles a user could be granted to manage potential emergency situations.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Organizations that have frequent reorganizations might want to limit folder nesting. Ultimately, you can go as abstract or as deep as you\u2019d like to balance flexibility and security. Let\u2019s look at two examples of how this balance can be achieved.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">The figure below shows an example of structuring your Google Cloud organization with a business-unit-based hierarchies approach. The advantage of this structure is that it lets you go as granular as you\u2019d like, however it is  difficult to maintain since it doesn\u2019t support organizational changes like reorganizations.<\/span><\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15773 size-full\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2020\/04\/New14.png\" alt=\"Identity and access management on Google Cloud 1\" width=\"512\" height=\"286\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Next we have an example of an environment-based hierarchies approach to your Google Cloud organization. This structure still lets you implement granular control over your workloads, and it\u2019s also easier to implement using infrastructure-as-a-code (think Terraform).<\/span><\/p>\n<h3 style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15775 size-full\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2020\/04\/new16.png\" alt=\"Identity and access management on Google Cloud 2\" width=\"512\" height=\"284\" \/><\/h3>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Phan_tach_nhiem_vu\"><\/span><b>Separation of duties<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Separation of duties<\/span><span style=\"font-weight: 400;\"> (SoD) is a control that\u2019s designed to prevent error or abuse by ensuring that at least two individuals are responsible for a task. Google Cloud provides several options to achieve SoD:<\/span><\/p>\n<ol style=\"text-align: justify;\">\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">As seen in the previous section, the Google Cloud resource hierarchy lets you create a structure that provides separation based on job responsibilities and organizational position. For example, an operational engineer working in one line of business usually wouldn\u2019t have access to a project in another line of business, or a financial analyst wouldn\u2019t have access to a project that deals with data analysis.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Google Cloud lets you define IAM custom roles, which can simply be a collection of out-of-the-box roles.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Google Cloud lets you bind roles to groups at various levels in your resource hierarchy. With this powerful feature, a group can be an organization level, a folder level, or a project level based on how the bindings are created.<\/span><\/li>\n<\/ol>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Here\u2019s an example of how roles can be defined at an organizational level.<\/span><\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15774 size-full\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2020\/04\/new15.png\" alt=\"Identity and access management on Google Cloud 3\" width=\"512\" height=\"361\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">In the next figure, we define a \u201cSecurity admin group\u201d and assign the appropriate IAM roles at the Org level.<\/span><\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15778 size-full\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2020\/04\/new19.png\" alt=\"Identity and access management on Google Cloud 4\" width=\"512\" height=\"290\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Then, along similar lines, you can think of groups that could be defined at a folder or project level.<\/span><\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15777 size-full\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2020\/04\/new18.png\" alt=\"Identity and access management on Google Cloud 5\" width=\"512\" height=\"324\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">For example, below we define the \u201cSite reliability engineers\u201d group and assign the appropriate IAM roles at the folder or project level.<\/span><\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15776 size-full\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2020\/04\/new17.png\" alt=\"Identity and access management on Google Cloud 6\" width=\"512\" height=\"300\" \/><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Bao_cao_va_truy_cap_danh_gia\"><\/span><b>Reporting and access reviews<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Users can gain access to a project either by having it directly granted to them or from organization- or folder-level inheritance. This can make it a bit unwieldy to meet compliance requirements that require you to have a report of \u201cwho has access to what\u201d within Google Cloud.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">While you can get this \u201cmaster\u201d list using <\/span><span style=\"font-weight: 400;\">Cloud Asset Manager APIs<\/span><span style=\"font-weight: 400;\"> or <\/span><span style=\"font-weight: 400;\">gcloud <\/span><a href=\"https:\/\/cloud.google.com\/sdk\/gcloud\/reference\/beta\/asset\/search-all-iam-policies\" target=\"_blank\" rel=\"nofollow noopener\"><span style=\"font-weight: 400;\">search-all-iam-policy commands<\/span><\/a><span style=\"font-weight: 400;\">, <\/span><span style=\"font-weight: 400;\">a better option is to<\/span> <span style=\"font-weight: 400;\">\u00a0export IAM policies to BigQuery<\/span><span style=\"font-weight: 400;\"> using Asset Manager APIs\u2019 export capabilities. Once this data is available in BigQuery, you can analyze it in Data Studio or import it into the tools of your choice.<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"De_tat_ca_chung_cung_nhau\"><\/span><b>Putting it all together<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Identity and access governance can be a challenging task. After reading this blog post, we hope that you have a clearer understanding of the options you have to address it on Google Cloud. To learn more about IAM, check out the technical documentation and our presentation at Cloud Next \u201819.<\/span><\/p>\n<p style=\"text-align: right;\"><strong>Source: Gimasys<\/strong><\/p>","protected":false},"excerpt":{"rendered":"<p>Khi c\u00e1c doanh nghi\u1ec7p chuy\u1ec3n t\u1eeb tri\u1ec3n khai t\u1ea1i ch\u1ed7 (\u0111\u1eb7t t\u1ea1i t\u1ed5 ch\u1ee9c c\u1ee7a b\u1ea1n) sang s\u1eed d\u1ee5ng c\u00e1c d\u1ecbch v\u1ee5 d\u1ef1a tr\u00ean n\u1ec1n t\u1ea3ng \u0111\u00e1m m\u00e2y, vi\u1ec7c qu\u1ea3n l\u00fd danh t\u00ednh c\u00f3 th\u1ec3 tr\u1edf n\u00ean ph\u1ee9c t\u1ea1p h\u01a1n.&hellip;<\/p>","protected":false},"author":1,"featured_media":6366,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6365","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kienthuc","entry","has-media"],"_links":{"self":[{"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/posts\/6365","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/comments?post=6365"}],"version-history":[{"count":0,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/posts\/6365\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/media\/6366"}],"wp:attachment":[{"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/media?parent=6365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/categories?post=6365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/tags?post=6365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}