IssueTracker

Description

The groups.memberships.searchTransitiveGroups API in Cloud Identity is designed to retrieve membership information for users within a Google Workspace domain. However, its current implementation results in a 403 Permission Denied error when querying external email addresses, preventing us from determining whether an external user is a member of any groups within our domain.

In our Google Workspace domain, we follow Google Cloud IAM best practices by adding external stakeholders to our domain’s groups and granting permissions to those groups rather than individual users. This approach works well for managing access to Google Cloud resources. However, we also need to extend the same authorization mechanism to our internal business applications. The inability to retrieve external email addresses’ group memberships within our domain via the Cloud Identity API imposes a major limitation on our access management strategy.

Therefore, we request a feature enhancement in the Cloud Identity API that allows us to determine “which groups within our Google Workspace domain a given email address belongs to.” This should not be implemented as retrieving membership information about external users themselves, but rather as querying a domain’s groups and listing their members, regardless of whether they are internal or external users.

Impact

Currently, Google Cloud IAM allows group-based access control that includes external email addresses, but the Cloud Identity API does not provide equivalent capabilities. This discrepancy leads to the following issues:

1. Inconsistency in Access Management

   • While Google Cloud IAM enables group-based access control, our internal applications cannot achieve the same level of authorization management, leading to redundant and inconsistent policies.
   • Without API support, we are forced to implement separate databases or manual processes to track external users' memberships, significantly increasing operational overhead.

2. Increased Security Risks

   • Since Cloud Identity API does not provide a way to retrieve external members within domain-managed groups, enforcing proper authorization checks becomes more difficult.
   • This limitation can lead to overprovisioning permissions, increasing potential security risks.

3. Lack of Consistency Across the Google Cloud Ecosystem

   • Google Cloud IAM provides a best-practice approach for managing group-based permissions, but Cloud Identity API’s limitations prevent full adoption of this model across Google Workspace-based applications.
   • This inconsistency hinders seamless integration and centralized identity management.

For these reasons, we strongly request an enhancement to the Cloud Identity API that enables retrieving membership information from a domain's groups, regardless of whether the members are internal or external users. This feature would align Cloud Identity API with Google Cloud IAM and significantly improve unified access control across Google services.