Grant and revoke access

Every subject - a user or a group - follows a two-step process to gain access to the global API server. Grant a subject with permissions in the global API server using IAMRoleBinding to a predefined IAMRole. All role and role bindings are global.

Personas (IO, PA, AO) are not roles but are collections of user roles mapped to specific permissions and assigned to individual users.

Set up role bindings

You can set up role bindings that give team members access to resources at the organization or project level.

To get the permissions that you need to set up role bindings, ask your Organization IAM Admin to grant you the Organization IAM Admin role.

To assign a role to an authorized member, follow these steps:

Console

  1. Sign in to the GDC console.
  2. Select an organization or project from the scope picker.
    • To set up role bindings for an organization, select an organization.
    • To set up role bindings for a project, select a project.
  3. In the navigation menu, click Identity and Access > Access.
  4. Click Add Member.
  5. Choose whether you want to add individual users or groups.
  6. In the Identity provider list, select an identity provider.
  7. In the Username or group alias field, enter the username, email address, or alias.
  8. In the Role list, select the role that you want to assign to the user or group, such as Organization Viewer at the organization level or Project Creator at the project level.
  9. Click Add.

The member appears in the Authorized member list.

gdcloud

  1. Ensure you have the gdcloud CLI installed.

  2. Sign in using the gdcloud auth login command to authenticate with your identity provider. For more information, see the gdcloud CLI authentication.

  3. Set up role bindings.

    • Set up role bindings for an organization:

      gdcloud organizations add-iam-policy-binding ORGANIZATION \
  --member=USER_ACCOUNT \
  --role= ROLE

      Replace the following variables:

      • ORGANIZATION: the name of the organization for which you're setting up the role binding.
      • USER_ACCOUNT: the user account to which you want to grant the role. This flag accepts either a user email address with the identity provider prefix (user:idpprefix-user@example.com) or a service account name with the service account project (serviceAccount:projectName:serviceAccountName).
      • ROLE: the name of the predefined or custom role you want to assign to the user.

    • Set up role bindings for a project:

      gdcloud projects add-iam-policy-binding PROJECT \
  --member=USER_ACCOUNT \
  --role= ROLE

      Replace the following variables:

      • PROJECT: the name of the project for which you're setting up the role binding.
      • USER_ACCOUNT: the user account to which you want to grant the role. This flag accepts either a user email address with the identity provider prefix (user:idpprefix-user@example.com) or a service account name with the service account project (serviceAccount:projectName:serviceAccountName).
      • ROLE: the name of the predefined or custom role you want to assign to the user.

Remove role bindings

When access is no longer required, remove a member and their associated roles, permissions, and access.

To remove members, work through the following steps:

Console

  1. Sign in to the GDC console.
  2. In the navigation menu, click Identity and Access > Access.
  3. In the Authorized members list, select a member.
  4. Click Remove member.
  5. When prompted, click Remove member to confirm.

gdcloud

  1. Ensure you have the gdcloud CLI installed.

  2. Sign in using the gdcloud auth login command to authenticate with your identity provider. For more information, see the gdcloud CLI authentication.

  3. Remove role bindings.

    • Remove role bindings for an organization:

      gdcloud organizations remove-iam-policy-binding ORGANIZATION \
  --member=USER_ACCOUNT \
  --role= ROLE

      Replace the following variables:

      • ORGANIZATION: the name of the organization from which you're removing the role binding.
      • USER_ACCOUNT: the user account from which you want to remove the role. This flag accepts either a user email address with the identity provider prefix (user:idpprefix-user@example.com) or a service account name with the service account project (serviceAccount:projectName:serviceAccountName).
      • ROLE: the name of the predefined or custom role you want to remove from the user account.

    • Remove role bindings for a project:

      gdcloud projects remove-iam-policy-binding PROJECT \
  --member=USER_ACCOUNT \
  --role= ROLE

      Replace the following variables:

      • PROJECT: the name of the project from which you're removing the role binding.
      • USER_ACCOUNT: the user account from which you want to remove the role. This flag accepts either a user email address with the identity provider prefix (user:idpprefix-user@example.com) or a service account name with the service account project (serviceAccount:projectName:serviceAccountName).
      • ROLE: the name of the predefined or custom role you want to remove from the user account.

Revoke user access

If a member leaves your organization or team, you can revoke their access to Google Distributed Cloud (GDC) air-gapped. Revoking a user's access logs them out of Distributed Cloud and removes their roles and permissions. You can also list the user's activity and sessions from their start and end time.

To revoke a user's access across a GDC universe, you must revoke access for each individual zone separately. Complete the following steps for each zone:

  1. Ensure you are signed in to the zone you want to revoke access for. For example, set the zonal URL configuration for gdcloud CLI, and then sign in:

    gdcloud config set organization_console_url ZONE_URL
gdcloud auth login

    Replace ZONE_URL with the GDC console URL for the zone to revoke user access for, which resembles https://console.ORG_NAME.ZONE_NAME.ORG_SUFFIX.

    For more information on switching zonal contexts, see Manage resources across zones.

  2. Get the permissions that you need to revoke users. Ask your Organization IAM Admin to grant you the Org Session Admin (org-session-admin) role.

  3. Revoke the user's access for the zone:

    gdcloud admin auth revoke --accounts USER_EMAIL

    Replace USER_EMAIL with the email of the user to revoke access.

    After running the command, you see output similar to the following. This example revokes access from the user ariel@example.com:

    Success: NUMBER of sessions revoked for user ariel@example.com

    In this example, the variable NUMBER refers to the number of active sessions the user had.

  4. Confirm you've revoked the user's access by running the gdcloud admin auth revoke command again. If successful, you see the following:

    No sessions found for account: ariel@example.com

  5. Repeat the previous steps for each zone in your universe.