Access Approval ensures that Cloud Customer Care and engineering require your explicit consent whenever they need to access your customer content.
Google Cloud offers industry-leading controls to prevent unauthorized access to your customer content by Cloud Customer Care and engineering teams.
Some customers require the ability to directly manage access to their customer content by Google personnel, and to grant explicit approval every time their customer content is accessed. Access Approval solves this problem for you.
Access Approval helps in implementing the security principle of least privilege, which states that nobody should have more permissions and access than they need. Even after you provide access, Google personnel can only view the content that is absolutely essential to fulfill an obligation to provide a contracted service. For example, front-line customer support personnel can only access information about customer environments that is absolutely essential for debugging customer support issues.
For more information about why Google employees might need to access customer content and about Google's privileged access principles, see Privileged access at Google.
Access Approval provides an additional layer of control on top of the transparency that Access Transparency Logs provide. Access Transparency provides you with logs that capture the actions Google personnel take when accessing your content. Access Approval also provides a historical view of all requests that were approved, dismissed, or expired.
How Access Approval works
Access Approval works by sending you an email or Pub/Sub message with an access request that you can choose to approve.
Using the information in the message, you can use the Google Cloud Console or the Access Approval API to approve the access. While approving an access request, you can select the expiration time of the access. For more information about approving access requests, see Approving Access Approval requests.
Google services that support Access Approval
Access Approval lets you select the Google Cloud services you want to enroll in Access Approval. Access Approval requests your consent only for access requests to content stored in the services you select.
Access Approval provides the following options for enrolling services in Access Approval:
- Automatically enable Access Approval for all the supported services, regardless of the level of support (preview or GA). Selecting this option also automatically enrolls all the services that Access Approval supports in future. This is the default option.
- Only enable Access Approval for services with GA-level support. Selecting this option also automatically enrolls all the services that Access Approval supports in future with GA-level support.
- Choose the specific services you want to enroll in Access Approval.
For the complete list of services that support Access Approval, see Supported services.
Access Approval exclusions
The following actions by Google don't trigger an Access Approval request:
System access to user content
These are programmatic, non-human accesses by authorized and reviewed Google processes. For example, a compression job that runs on the content or disk destruction during the content deletion process. The binary authorization functionality checks these accesses. This functionality verifies the following:
- The job originates from code that was checked into production.
- A second party has reviewed the code.
- Legal access
- Where Google accesses customer content to comply with legal requirements, these accesses bypass the Access Approval service.
- Outage access
- Where Google accesses customer content to resolve an outage, these accesses bypass the Access Approval service.
- Legal access
Access Transparency exclusions
Any other exception documented in the Access Transparency exclusions. Anything that fails to generate an Access Transparency log also doesn't generate an Access Approval request.
Requirements for using Access Approval
Before you can use Access Approval, you must first enable Access Transparency for your organization. Access Approval and Access Transparency both require your Google Cloud organization to have one of the following customer support levels:
Alternatively, you can choose one of the following Role-Based support packages:
- Four or more Development roles.
- Four or more Production roles.
- A combination of four or more Development or Production roles.
You can enable Access Approval using the Google Cloud Console. For more information, see the quickstart.
If you are not sure whether your Google Cloud organization has an appropriate Support package, check your Cloud Customer Care console:
In the Support panel, you see either your Support status or the option to upgrade your Support package.
For more information about getting support with Customer Care, see Getting support with Cloud Customer Care.
- To set up Access Approval, read the quickstart.
- Learn how to approve access requests.
- Learn about Access Approval pricing.
- See the list of Google Cloud services that support Access Approval.