The ability to control data access on a granular level is critical when it comes to security. To that end, Google has launched custom roles for Cloud IAM in beta today to help administrators tightly control permissions around data access on Google Cloud Platform.
Custom roles offer customers control of 1,287 public permissions across GCP services. Custom roles provide administrators with more precision than the three primitive roles for Owner, Editor, and Viewer, and the hundred service-specific predefined roles that combine a set of permissions necessary to complete different tasks across GCP.
According to Google, “You don't directly grant users permissions. Instead, you grant them roles, which bundle one or more permissions. Predefined roles are created by Google and we maintain with the most up-to-date permissions required for new features and other changes. Custom roles allow you to bundle one or more of the available permissions to specifically meet your needs. You can create a custom role at the organization level and at the project level.”
The beta launch comes on the heels of Google’s acquisition of Bitium last week, which gives enterprise customers the ability to manage access to web-based applications and extends its capabilities around identity and access management in the cloud.
In a blog post, Google product manager Rohit Khare said unlike GCP predefined roles, admins control if and when permissions are added or removed. When using custom roles, it is important to track what permissions are associated with the roles created, since available permissions for GCP services are constantly evolving.
“We hope Cloud IAM custom roles make it easier for organizations to align access controls to their business processes,” Khare writes. “In conjunction with resource-level IAM policies, which can control access down to specific resources such as Pub/Sub topics or Machine Learning models, security administrators now have the power to publish policies as precise as granting a single user just one permission on a resource — or on whole folders full of projects.”
GCP customer Verily Life Sciences said that custom roles enable it to “uphold the highest standards of patient trust by carefully managing the granularity of data access granted to people and programs based on their ‘need to know.’”
Google has posted detailed step-by-step instructions on how to start using custom roles here.