GCP IAM & RESOURCES HIERARCHY

Cloud Identity and Access Management (Cloud IAM) is a security framework that verify users and control their access rights, and denying access privileges. You are able to authenticate users and secure access across cloud, SaaS, on-premise and APIs. Here are some tips to help you use it better! 

• Make sure that you only give people access to what they need.

• Make sure that you take away access when people don't need it anymore.

• Make sure that different people have different jobs so that no one person has too much power.

• Make sure that you have a plan for how to manage all the different people who need access.

• Make sure that you keep your password safe ( Credentials).

• Make sure that you give people different levels of access depending on what they need.

The "who" can be a person, group, or application. 

The "what" refers to specific privileges or actions and the "resources" could be any Google Cloud service.

  GOOGLE CLOUD RESOURCE HIERARCHY

There is a resource hierarchy within the  resource manger. There are four different aspect of resource hierarchy. One of the first thing you define which will help you design the infrastructure will be;

1. ROOT ORGANIZATION: This is mainly the domain of company and google cloud will need this as the principal piece that the organization need to represent your organization within GCP. Everything you literally be managing as an environment will be tied to this piece. For example, you search facebook.com, uber.com, shoeline.com, each of this search represent a domain to identify their structure within GCP. 

Another example: Lets say you have 500 employees within your organization each of them has an email that ends with the company domain, like uche@saskhealthregion.com. 

If you're making use of workspace formally called G- suite you can integrate all 500 users into cloud platform and centralize the control, even if you need to block a particular employee. 

1. FOLDERS (department): Can be used to segregate the different workloads that you are engaged in within the organization. For example, you have four team( A,B,C,D) and they handle independent project, generically, they will not need access because they are completely working on different project. Within a folder, you can have multiple objects to create resources. 

Folders are NOT used to deploy resource. The folder sits within the domain.

2. PROJECTS: In your cloud console you create a project, that project is called container where you house all the different resources that you can deploy within GCP. For example, if the resource sit within project that means project sits in the folder. 

3. RESOURCES: In blue shape has one parent and resources inherit policies from the parent. Examples of resources Cloud run, GCS, Cloud VPC, GCE. Within google cloud we have QUOTAS. Quota's are APIs that manage resources consumption within your ecosystem. Quota's are limits you set on your resources. You can request to increase quota through google cloud support. Managing limits can help with security and billing. 

4. LABELS: Are they object that manage and organize your workload around GCP probably for billing, governance, automation. It is based on key value pairs. 

QUESTION: One of the first question you may be likely asked, how will you access a resources in GCP meaning what interface to gain access to the platform to get familiar? When we talk about interface, we mean entry and exit communication.  There are four major interfaces to interact: 

1. Cloud console (https://console.cloud.google.com/)

2. mobile app (iOS and android), 

3. Cloud SDK (Software development kit)-  Allow you to programmatically interact your environment. This interface comprises of 3 major components. big query( warehouse), google cloud and google util( storage).

4. GCP client libraries( python, Node.js, Ruby ) mainly use by software developers. 

                 Cloud IAM 

Can only allow permitted set of policies either at the organization, Folders, Projects, or resources to function. 

Each policy contains set of roles and role members, with resources inheriting policies from their parent, lets think about this as resource policies are a union os parent and resource, in which we implement less restrictive parent policy will always override a more restrictive resource policy.

The organization administrator provides a user with the right access to all resources within the organization also the project creator role allows users to create project within the organization.

     WHAT IS A G SUITE

GCP is a suite of cloud computing services that runs on the same infrastructure that google uses internally for its end-user products. G-Suite is part of GCP WORKSPACE lunched in 2020. 

G Suite is a collection of cloud-based productivity and collaboration tools developed by Google. It includes Gmail, Google Drive, Google Docs, Calendar , Spread sheets and so on.

The three main editions of G -suite are monthly  Basic $6, Business $12 and Enterprises $25. There are several alternatives to G- suites  that you can consider like Fast mail, Office365, Zoho Workplace, Godaddy Email and office. etc

       THE ROLE OF RESOURCE MANAGER

   TYPES OF IAM ROLES

There are three types of IAM roles: Primitive/basic , Predefined, Custom.

Primitive/basic roles are the original roles that were available in the cloud console and it's broad. IAM basic roles offer fixed, coarse-grained levels of access.

GCP services offers their own sets of predefined roles, and they defined where those roles can be applied. This provides members with granular access to specific GCP resources and prevents unwanted access to other resources. The permissions itself are classes and methods in the APIs.      

In our next slide, we will buttress on service models! Happy Learning😊!!

Referencing : https://cloud.google.com/iap/docs/concepts-overview

  https://domains.google/?pli=1

                      Polarsparc

Questia: https://www.blogger.com/blog/post/edit/5428112557550405099/7327624698061978921?hl=en