Enforce certificate-based access with user groups

This page explains how to enforce certificate-based access (CBA) with user groups.

You can restrict access to all Google Cloud services, including the Google Cloud console, by binding a CBA access level to a user group that you want to restrict access to.

Before you continue to the procedures, ensure that you have previously created a CBA access level that requires certificates when determining access to resources.

Create a user group

Create a user group containing the members that should be granted access based on the CBA access level.

Assign the Cloud Access Binding Admin role

Assign the Cloud Access Binding Admin role to the user group by completing the following steps:

Console

In the console, go to the IAM page.
Go to IAM
Click Add, and then configure the following:
1. New principals: Specify the group to which you want to grant the role.
2. Select a role, and then select Access Context Manager > Cloud Access Binding Admin.
3. Click Save.

gcloud CLI

Ensure that you are authorized with sufficient privileges to add IAM permissions at the organization level. At a minimum, you need the Organization Admin role.

After confirming that you have the right permissions, log in:
```
gcloud auth login
```
Assign the GcpAccessAdmin role by running the following command:
```
gcloud organizations add-iam-policy-binding ORG_ID \
  --member=user:EMAIL \
  --role=roles/accesscontextmanager.gcpAccessAdmin
```
- ORG_ID is the ID for your organization. If you don't already have your organization ID, you can use the following command to find it:
```
 gcloud organizations list
```
- EMAIL is the email address of the person or group you want to grant the role to.
Note: For read-only access to the bindings, you can assign the accesscontextmanager.gcpAccessReader role.

Bind the CBA access level to a user group

In the console, go to the BeyondCorp Enterprise page.
Go to BeyondCorp Enterprise
Choose an organization, and then click Select.
Click Manage access to choose the user groups that should have access.
Click Add and then configure the following:
1. Member groups: Specify the group to which you want to grant access. You can only select groups that are not already bound to an access level.
2. Select access levels: Select the CBA access level to apply to the group.
3. Click Save.