IssueTracker

Business Impact: Protecting Google IAM changes to prevent any single person from making an IAM change without the approval of at least one other person.

Relevant Details:

• they are looking for available options protections Google IAM can add to prevent any single person from making an IAM change without the approval of at least one other person.

• customer can create a separate org admin (and remove the org admin role from the existing super admin) as described in the best practices[1], but the super admin will still retain the permission to re-assign the org admin role to themselves.

Research done:

• we can set limits on granting access[2], however super admin by default get the accesses of Organization Admin

[1]- https://cloud.google.com/resource-manager/docs/super-admin-best-practices

[2]- https://cloud.google.com/iam/docs/setting-limits-on-granting-roles

Reproduction Steps: N/A

What you would like to accomplish:

• customer is looking for available options to secure IAM changes through approval from multiple super admins.

How this might work:

• Any super admin or Org Admin user do some changes on IAM will require checking/approval from another super admin or org admin