<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview [1] [2]
[{$pagename}] is [Identity and Access Management] ([IAM]) for [Google Cloud Platform] that lets administrators authorize who can take action on specific resources, giving you full control and visibility to manage cloud resources centrally. 

For established enterprises with complex organizational structures, hundreds of workgroups and potentially many more projects, Cloud IAM provides a unified view into security policy across your entire organization, with built-in auditing to ease compliance processes.

!! Concepts related to [{$pagename}]
After [Google] [authenticates] the [member] making a [request], [{$pagename}] makes an [authorization] decision on whether the [member] is within a [Role] that has a [permission] to perform the requested action on the requested [resource].

! [GCP Identity]
In [{$pagename}], [GCP Roles] are granted to [GCP Identities|GCP Identity]. 

! [GCP Resource]
You can grant access to [GCP Identities|GCP Identity] for a [Google Cloud Platform] [GCP Resource]

! [Permission]
[Permissions] determine what operations are allowed on a [resource]. In the [{$pagename}] world, permissions are represented in the form of:
%%prettify 
{{{
&lt;service&gt;.&lt;resource&gt;.&lt;verb&gt;
}}} /%
for [example] pubsub.subscriptions.consume.

[Permissions] usually, but not always, correspond 1:1 with [REST] methods. That is, each [Google Cloud Platform] service has an associated set of [permissions] for each [REST] method that it exposes. The caller of that method needs those [permissions] to call that method. For example, the caller of Publisher.Publish() needs the pubsub.topics.publish permission

! [GCP Roles]
A [role] is a collection of [permissions]. You cannot assign a [permission] to the user directly; instead you grant them a [role]. When you grant a role to a user, you grant them all the [permissions] that the [role] contains.
* Primitive roles: The roles historically available in the Google Cloud Platform Console will continue to work. These are the Owner, Editor, and Viewer roles.
* Predefined roles: Predefined roles are the IAM roles that give finer-grained access control than the primitive roles. For example, the predefined role Publisher provides access to only publish messages to a Pub/Sub topic.
* Custom roles: Roles that you create to tailor permissions to the needs of your organization when Predefined roles don't meet your needs.

!! [{$pagename}] [Access Control]
[{$pagename}] [Access Control] is done by creating a [GCP IAM Policy].

[GCP IAM Policy] is assigned to a [GCP Resource] which defines what to the list of [GCP Roles] and [GCP Identities|GCP Identity].

!! Category
%%category [Google Cloud Platform]%%

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [CLOUD IDENTITY &amp; ACCESS MANAGEMENT|https://cloud.google.com/iam/|target='_blank'] - based on information obtained 2017-08-10- 
* [#2] - [basic concepts of Google Cloud Identity and Access Management|https://cloud.google.com/iam/docs/overview|target='_blank'] - based on information obtained 2017-08-10- 
</pre>