Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Activate role on organizational level #88

Open
TKBP opened this issue Jun 19, 2023 · 7 comments
Open

Activate role on organizational level #88

TKBP opened this issue Jun 19, 2023 · 7 comments
Labels
enhancement New feature or request

Comments

@TKBP
Copy link

TKBP commented Jun 19, 2023

Hi,

It would be great if it was possible to activate JIT controlled roles on the organization (and possibly folder) level too. The use case is the following: our organization uses JIT to control roles and provide just in time privileges to everyone in the company. That said there are "central" teams who have roles on the organizational or sometimes folder level - currently it's not possible for them to activate their role on anything else but a project.

A real life scenario is that if the role Security Admin was JIT controlled on the organizational level, there is no option to activate it so role owners could use their privileges on the org level instead of just a single project.

Hopefully this makes sense and it can be added as an enhancement.

Many thanks!
@jpassing
Copy link
Collaborator

In general, I'd say that it's a good practice to activate a role for an individual project only, even if you've been granted elibible access to an entire folder or organization.

But your're right that there are some activities for which this project-based approach doesn't work -- such as for modifying org- or folder level IAM policies or organizational policies, or managing VPC-SC perimeters.

Technically, I think it would be possibe to extend the tool so that you can not only select projects (in the project dropdown), but also folders or the organization node. The only downside here is that it might steer users away from the good practice of activating roles for individual projects only.

@jpassing jpassing added the enhancement New feature or request label Jun 19, 2023
@TKBP
Copy link
Author

TKBP commented Jun 21, 2023

Thanks for replying and considering for enhancement. I agree it's best practice and most secure to activate roles only where it's necessary (project level) but as you say there are quite a few things that need to be done on the org level. However, not having an option to activate roles on org level would only leave us to have "permanent" roles assigned on org level which is absolutely not ideal and secure.

In my view, having a JIT controlled and managed role(s) on org level is still much better than "permanently assigned" roles on the same level.

Many thanks again!

@rojomisin
Copy link

I wonder is it possible to configure an org level permission or role which can only add permissions to projects, but not have access to those projects themselves?

@jpassing
Copy link
Collaborator

@rojomisin not sure if I understand your question... but are you thinking of something like delegated role granting to prevent users from granting themselves additional access?

@duxbuse
Copy link

duxbuse commented Jul 10, 2023

Whilst I would like to be able to just activate the roles could we at least improve the error messaging on these guys.

Currently if you try to activate a permissions that can't be bound at a project level, but shows up because you have inherited it when you try to activate it you just get the mysterious 403 Forbidden Would be nice if we could pass through the error message Role (roles/orgpolicy.policyAdmin) does not exist in the resource's hierarchy. or something to let you know that whilst the role has the jit constraint you cant use it.

In my use case I have added a whole swathe of privileged roles to include the jit constraint. But most of these are actually admin esk roles that only exist on billing accounts or folder admins or org level. I would really love if i could activate my admin perms at a specific project and anything that cant be activated at a project level is activated at the lowest level it can support.

@jpassing
Copy link
Collaborator

I agree that the error message is poor, and I'll fix that.

jpassing added a commit that referenced this issue Jul 16, 2023
@jpassing
b/291503460 Provide more specific message when role not grantable
eb4811b 
Show a more specific error message to the user when they try
to actviate a role that's not grantable on projects (such as
Billing Viewer).

Cf #88.
@jpassing jpassing mentioned this issue Jul 16, 2023
Merged
jpassing added a commit that referenced this issue Jul 17, 2023
@jpassing
b/291503460 Provide more specific message when role not grantable (#112)
e78c21e 
Show a more specific error message to the user when they try
to actviate a role that's not grantable on projects (such as
Billing Viewer).

Cf #88.
@dgteixeira
Copy link

This activation at the organization level would be very useful, for a use case we currently have at our company:

  • All the org-level groups should only have the high-level roles whenever required.

One particular example:

  • We only want to provide the Billing Administrator role (at org level) for the billing group when we need to do something (example: approve a marketplace offer).

This would actually be very important for us to actually implement jit in our organization, because our main goal is to use it for org-level, not only project-level.

@jpassing jpassing mentioned this issue Mar 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rojomisin @jpassing @duxbuse @dgteixeira @TKBP