Show the list of all permission a user own [110362479]

Fixed

Feature Request

Status Update

No update yet.

Description

vp...@google.com

created issue #1

Jun 18, 2018 07:42PM

Customer wants to see the list of all permission a user own using the gcloud command.

Currently, we can get only the list all IAM roles for a specific user

gcloud projects get-iam-policy Project_Name | grep -E 'USER|role'
gcloud iam roles describe roles/compute.admin

Comments

al...@google.com <al...@google.com> Apr 10, 2019 07:26AM

Assigned to gc...@google.com.

[Deleted User] <[Deleted User]> #2Jun 9, 2020 10:40PM

If I understand this feature request properly, then I agree. Right now in the console, you can only see a user's organization-level or project-level IAM roles. So if I grant a user a role on a BUCKET or BigQuery TABLE, I can't look it up anywhere as far as I can tell (other than by looking at the bucket or table permissions). It won't show this permission when I go to IAM&Admin->Admin.

For managing all permissions across my organization, I would like to be able to look up, in one place, all permissions that a user has (all of the permissions at the organization, project, and lower levels, all together in one chart).

The initial feature request is to allow this with gcloud, but I think it applies to the console too.

Message last modified on Jun 9, 2020 10:41PM

ni...@gmail.com <ni...@gmail.com> #3Jul 24, 2020 01:38PM

Hi all,

we currently have the same issue. We gave a user who only briefly worked on a few of our projects permissions. We would like to completely remove the user from our system but that is difficult to do when we are unable to get an overview which projects/folders/etc. the user was given permissions on.

It would be great to enter look up for each individual user (or other type of identity) where permissions were given.

Best Regards
Nikita

li...@google.com <li...@google.com> #4Jan 29, 2021 07:17PM

1. Who are granted a given permission in my org?

gcloud asset search-all-iam-policies \
--scope=organizations/123456 \
--query='policy.role.permissions:resourcemanager.projects.setIamPolicy'

2. Which policies under my folder contain a given user?

gcloud asset search-all-iam-policies \
--scope=folders/123456 \
--query='policy:foo@bar.com'

3. Which policies grant a given role under my project?

gcloud asset search-all-iam-policies \
--scope=projects/my-project \
--query='policy:roles/owner'

Note that we only support IAM policies for resource types as listed under "Searchable asset types":

https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types

More query examples:

https://cloud.google.com/asset-inventory/docs/searching-iam-policies-samples

How to start:

https://cloud.google.com/asset-inventory/docs/searching-iam-policies

sa...@google.com <sa...@google.com> Nov 17, 2023 05:07AM

Reassigned to sa...@google.com.

sa...@google.com <sa...@google.com> #5Nov 17, 2023 11:21AM

Marked as fixed, reassigned to gc...@google.com.

Hello,

I’m pleased to inform you that our product engineering team has resolved the reported issue. Please verify if the problem has been resolved from your end as well.

Product Engineer Team Comments: https://cloud.google.com/policy-intelligence/docs/analyze-iam-policies

If you encounter any further issues or have any additional concerns, please don't hesitate to create a new issue on the IssueTracker providing a detailed description of your issue.

I will now proceed to close this issue. If you have any other questions or need further assistance, please feel free to let us know.

Issue 110362479