IAM conditions based on modified grants by members [309992915]

Assigned

Feature Request

Status Update

No update yet.

Description

ai...@google.com

created issue #1

Nov 9, 2023 07:48PM

Problem you have encountered:

The customers can set limits on the roles that a principal can grant and revoke with Identity and Access Management (IAM) Conditions and the

iam.googleapis.com/modifiedGrantsByRole API attribute.

api.getAttribute('

iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(roles)

There is an interest in adding limits on Member ( User , Group, Service Account).

For example, the below condition would limit IAM modifications (grant or revoke) to these members (a group, a service account, and a specific user):

*api.getAttribute('

iam.googleapis.com/modifiedGrantsByMembers',
[]).hasOnly(['group:some-group@example.com',
'serviceAccount:some-sa@project-number.iam.gserviceaccount.com',
'user:john@example.com'])*

What you expected to happen:

To have more options for IAM with conditions.

Steps to reproduce:

Other information (workarounds you have tried, documentation consulted, etc):

Comments

ai...@google.com <ai...@google.com> Nov 9, 2023 07:49PM

Assigned to gc...@google.com.

ka...@google.com <ka...@google.com> Nov 10, 2023 01:49AM

Reassigned to ka...@google.com.

ka...@google.com <ka...@google.com> #2Nov 10, 2023 07:47AM

Reassigned to gc...@google.com.

Thanks for the report. I will route this to the appropriate internal team and update this when I hear back from them.

de...@simpleclub.com <de...@simpleclub.com> #3Mar 16, 2024 11:49AM

One more detail, Data Layer event calls from the watch to the phone (running Android 13) do work on if the listener is in an Activity or Fragment.

ma...@google.com <ma...@google.com> #4
Restricted+
May 22, 2024 09:23AM

Reassigned to ma...@google.com.

Comment has been deleted.

ma...@google.com <ma...@google.com> May 22, 2024 11:59AM

Reassigned to gc...@google.com.

Issue 309992915

Description

Issue summary